Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
asXlZG3aW6.exe

Overview

General Information

Sample name:asXlZG3aW6.exe
renamed because original name is a hash value
Original sample name:0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b.exe
Analysis ID:1529110
MD5:51bfab682069e4e7a2ba7b8379d3927b
SHA1:852ac154d253e128199c7cf766d74ac8a6e9d146
SHA256:0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Submitted sample is a known malware sample
AI detected suspicious sample
Mass process execution to delay analysis
Obfuscated command line found
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample file is different than original file name gathered from version info
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • asXlZG3aW6.exe (PID: 7692 cmdline: "C:\Users\user\Desktop\asXlZG3aW6.exe" MD5: 51BFAB682069E4E7A2BA7B8379D3927B)
    • cmd.exe (PID: 7816 cmdline: cmd.exe /c set /a "250^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7868 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7916 cmdline: cmd.exe /c set /a "227^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7972 cmdline: cmd.exe /c set /a "255^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8024 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8076 cmdline: cmd.exe /c set /a "253^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8128 cmdline: cmd.exe /c set /a "130^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8180 cmdline: cmd.exe /c set /a "131^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7276 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7432 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 916 cmdline: cmd.exe /c set /a "242^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2376 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1556 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1824 cmdline: cmd.exe /c set /a "208^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1944 cmdline: cmd.exe /c set /a "197^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2292 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6160 cmdline: cmd.exe /c set /a "247^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2572 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3360 cmdline: cmd.exe /c set /a "221^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3248 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3856 cmdline: cmd.exe /c set /a "240^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4108 cmdline: cmd.exe /c set /a "153^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4120 cmdline: cmd.exe /c set /a "220^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4980 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5804 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4632 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5808 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7676 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7856 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7896 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7944 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8016 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8068 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8100 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8168 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7216 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7280 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4776 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1096 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2992 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2552 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1816 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5464 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2508 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2984 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3004 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3360 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4112 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6896 cmdline: cmd.exe /c set /a "193^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4860 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 528 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5740 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3868 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6528 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7832 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7880 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7896 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7984 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7980 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8024 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4456 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8144 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7188 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7428 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3947083499.00000000007F2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
    00000000.00000002.3947083499.00000000007FE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      00000000.00000002.3947414455.0000000004392000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: asXlZG3aW6.exe PID: 7692JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: asXlZG3aW6.exeReversingLabs: Detection: 55%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 82.2% probability
          Source: asXlZG3aW6.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: asXlZG3aW6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_00406268 FindFirstFileA,FindClose,0_2_00406268
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040572D
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004026F8 FindFirstFileA,0_2_004026F8
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\userJump to behavior
          Source: asXlZG3aW6.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: asXlZG3aW6.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004051CA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004051CA
          Source: Conhost.exeProcess created: 99

          System Summary

          barindex
          Submitted sample is a known malware sample
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeDropped file: MD5: b38561661a7164e3bbb04edc3718fe89 Family: Chafer Alias: APT39, Chafer Description: Chafers (also known as APT39) focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals. While its targeting scope is global, the activities are concentrated in the Middle East. Government entities targeting suggests a potential secondary intent to collect geopolitical data that may benefit nation-state decision making. References: https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html https://mp.weixin.qq.com/s/c2z4laJ0oq5y0BAEFM3Y9wData Source: https://github.com/RedDrip7/APT_Digital_Weapon
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031F1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile created: C:\Windows\resources\0809Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004067420_2_00406742
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_00404A090_2_00404A09
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_00406F190_2_00406F19
          Source: asXlZG3aW6.exeStatic PE information: invalid certificate
          Source: asXlZG3aW6.exe, 00000000.00000000.1478824750.0000000000442000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebageblandinger.exe2 vs asXlZG3aW6.exe
          Source: asXlZG3aW6.exeBinary or memory string: OriginalFilenamebageblandinger.exe2 vs asXlZG3aW6.exe
          Source: asXlZG3aW6.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal80.troj.evad.winEXE@416/8@0/0
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031F1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_00404496 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404496
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004020CB CoCreateInstance,MultiByteToWideChar,0_2_004020CB
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile created: C:\Users\user\AppData\Local\injektionen.iniJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile created: C:\Users\user\AppData\Local\Temp\nsg40F8.tmpJump to behavior
          Source: asXlZG3aW6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: asXlZG3aW6.exeReversingLabs: Detection: 55%
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile read: C:\Users\user\Desktop\asXlZG3aW6.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe "C:\Users\user\Desktop\asXlZG3aW6.exe"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: asXlZG3aW6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000000.00000002.3947414455.0000000004392000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.3947083499.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.3947083499.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: asXlZG3aW6.exe PID: 7692, type: MEMORYSTR
          Obfuscated command line found
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_10002D20 push eax; ret 0_2_10002D4E
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile created: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile created: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Mass process execution to delay analysis
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeRDTSC instruction interceptor: First address: 45F0319 second address: 45F0319 instructions: 0x00000000 rdtsc 0x00000002 test dl, al 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F3254AB85D8h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\asXlZG3aW6.exe TID: 7796Thread sleep time: -32900s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_00406268 FindFirstFileA,FindClose,0_2_00406268
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040572D
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004026F8 FindFirstFileA,0_2_004026F8
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\userJump to behavior
          Source: asXlZG3aW6.exe, 00000000.00000002.3947083499.00000000007B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeAPI call chain: ExitProcess graph end nodegraph_0-4030
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeAPI call chain: ExitProcess graph end nodegraph_0-4219
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "193^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031F1

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          Access Token Manipulation          		11
          Masquerading          		OS Credential Dumping11
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Native API          		Boot or Logon Initialization Scripts11
          Process Injection          		1
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol1
          Clipboard Data          		Junk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		1
          Access Token Manipulation          		Security Account Manager1
          Time Based Evasion          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
          Process Injection          		NTDS3
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets13
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Time Based Evasion          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Obfuscated Files or Information          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1529110 Sample: asXlZG3aW6.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 80 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected GuLoader 2->39 41 AI detected suspicious sample 2->41 7 asXlZG3aW6.exe 34 2->7         started        process3 file4 33 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->33 dropped 35 C:\Users\user\AppData\Local\...\System.dll, PE32 7->35 dropped 43 Submitted sample is a known malware sample 7->43 45 Obfuscated command line found 7->45 47 Mass process execution to delay analysis 7->47 49 Tries to detect virtualization through RDTSC time measurements 7->49 11 cmd.exe 7->11         started        13 cmd.exe 7->13         started        15 cmd.exe 7->15         started        17 61 other processes 7->17 signatures5 process6 process7 19 Conhost.exe 11->19         started        21 Conhost.exe 13->21         started        23 Conhost.exe 15->23         started        25 Conhost.exe 17->25         started        27 Conhost.exe 17->27         started        29 Conhost.exe 17->29         started        31 58 other processes 17->31

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          asXlZG3aW6.exe55%ReversingLabsWin32.Trojan.Guloader

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\nsExec.dll0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
          http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nsis.sf.net/NSIS_ErrorasXlZG3aW6.exefalse
          • URL Reputation: safe
          		unknown
          http://nsis.sf.net/NSIS_ErrorErrorasXlZG3aW6.exefalse
          • URL Reputation: safe
          		unknown

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1529110
          Start date and time:2024-10-08 16:40:55 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 7m 40s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:134
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:asXlZG3aW6.exe
          renamed because original name is a hash value
          Original Sample Name:0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b.exe
          Detection:MAL
          Classification:mal80.troj.evad.winEXE@416/8@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 98%
          • Number of executed functions: 43
          • Number of non-executed functions: 31
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Override analysis time to 240s for sample files taking high CPU consumption

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtWriteVirtualMemory calls found.
          • VT rate limit hit for: asXlZG3aW6.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          10:42:49API Interceptor28x Sleep call for process: asXlZG3aW6.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\nsExec.dllShipping documents 000288488599900.imgGet hashmaliciousGuLoaderBrowse
            Zincize.exeGet hashmaliciousGuLoaderBrowse
              Zincize.exeGet hashmaliciousGuLoaderBrowse
                r14836901-5B4A-.exeGet hashmaliciousFormBook, GuLoaderBrowse
                  r14836901-5B4A-.exeGet hashmaliciousGuLoaderBrowse
                    Bootblacks.exeGet hashmaliciousFormBook, GuLoaderBrowse
                      Bootblacks.exeGet hashmaliciousGuLoaderBrowse
                        Halkbank_Ekstre_06535798_98742134.pdf.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                          Halkbank_Ekstre_87762122_97575533.pdf.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                            z6RemittanceAdvise.exeGet hashmaliciousGuLoaderBrowse
                              C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dllaMfizaMilo.exeGet hashmaliciousGuLoaderBrowse
                                1ppvR5VRT6.exeGet hashmaliciousGuLoaderBrowse
                                  Ozb8aojWew.exeGet hashmaliciousGuLoaderBrowse
                                    aMfizaMilo.exeGet hashmaliciousGuLoaderBrowse
                                      1ppvR5VRT6.exeGet hashmaliciousGuLoaderBrowse
                                        Ozb8aojWew.exeGet hashmaliciousGuLoaderBrowse
                                          Documents.com.exeGet hashmaliciousGuLoaderBrowse
                                            Documents.com.exeGet hashmaliciousGuLoaderBrowse
                                              27062024-322copy.exeGet hashmaliciousGuLoaderBrowse
                                                27062024-322copy.exeGet hashmaliciousGuLoaderBrowse

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\Beseechingly.pat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):40737
                                                  Entropy (8bit):1.2389874957793674
                                                  Encrypted:false
                                                  SSDEEP:384:T2+RMqzowpQiyrzM4z9yQkjMuWmGmsCtRMFwZqvZ3uEr:TkUbBwuW/lvZ3Z
                                                  MD5:FF8F7AB23828659C95DFE70F38396D11
                                                  SHA1:600CA9BCEDC89C4D09700FC026D202B75FA912BF
                                                  SHA-256:6B58CFC8557F3DF7B7A3C4BEC537F1F1D3A8AAD181F90FF5510C7CF3AA071D7E
                                                  SHA-512:DF1DEC9390BB953BB2FD2890FAA8774D30B131DA197BDDE4EEAB74B2F047C280369FD401DB488254CBA7026D86B09C2BE185243528D5D0066CB7A602C93747CC
                                                  Malicious:false
                                                  Preview:N....^.......>......."...............................................c..............I.............6......................................?...........................................................}.................h.k........................................]........................}....................................Y.......................>.?x...........................+E....V.........6..........................................................................;.........>................].."......................t............................................[...............................................>..............].............}........Y..........................(..............,.......(................................t...e......../................................m.....p.............p.0...........0.........c.................$..........]..I......7..................u...............U......!..................................................................w............................

                                                  C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\Jogurterne.Hai

                                                  Download File
                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):157817
                                                  Entropy (8bit):7.749478906211848
                                                  Encrypted:false
                                                  SSDEEP:3072:gnIneUvKwEn40ehoKmbJrFfdhK1tinDQxs3mDtO/27Kw23DaaZ1:wNLn4XUJw1tiDMQ/Dlx1
                                                  MD5:C673D9D0189C507C168EBBB4231C4ECD
                                                  SHA1:D0B623EEC05DE3463C126257B3431DDBEFB32780
                                                  SHA-256:5477DC5E06DCDBA04A8AD8EFEB34812A51FD01F92C13C83BB3AB223291631679
                                                  SHA-512:C3F4C7E1076E20271B9738A11AC22B4B40A450090C0736807DD2F2BE5283E00F60C8420942AA2B5044FD7001FDDFDC76362AD1C11B44E3D2F8BA2F2A3DF98295
                                                  Malicious:false
                                                  Preview:............~.......................P......8..........++.{............y...uu....5................................WW............]]]]]]].........b...f...................m.QQ..........11.kk....xx...................***......=.................YY..8...ss."..................c.................................`......................l..../.....G.nn..}}}}...........WW...........................;.SS.ss.........%...........mm...................... ....ttt...r...s.............................T..^^......y.v....@@...................................UUU......J.................iii............x..................??????..................]].................PP..{.8.............................W..a...........`f................[.q...f........P.f.....x.........f...!....|....f....\....f!.X......v)........f...!.........f.....u/f...........* .......~.f.........,^.......................4.1...............f...............J...|.=..et<P..f...f!..(.0.f..Q......Tf.........`.....=...&..*./.f......a....f...

                                                  C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Betonkanon27.sdr

                                                  Download File
                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):24379
                                                  Entropy (8bit):1.2877836589226113
                                                  Encrypted:false
                                                  SSDEEP:96:vj9QuXWgrg/taXBoTUjTCtW2l+tlxtYpvGrF35bcDRk7:7euXC4GTUjTCtWptlgGRpYDRk7
                                                  MD5:82F6FE55582C08895D7AED7EBCD309E0
                                                  SHA1:46FEA0B972557ED20C61318A290790D45BB56AD2
                                                  SHA-256:BBE23D455ECA17ACBE3A3E69348894EB4192FCCA34B8D4E8500B927F8B847191
                                                  SHA-512:2D8D49CCDBB0576DFAA6EA7388808FB97A67EA77B7513ADFD3A3CF82D808D9CA565055962E831322B9C0B8E61878E36DD0C2F03F90FC2D18BBC3C57D7BD1D62F
                                                  Malicious:false
                                                  Preview:.........................................................................$..........................Q..........O....................[.............H...............q............,....h.........................n.........f...............................................................%...............................N...........p.................w........................................................\.........................................0./...........=..........................................b....................z....v....[n...............................h........................................................$..................9.d...........C...................T.......K............................................e................F............ ........................................................................h....................................................?.....0................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Lidkbs.Sem

                                                  Download File
                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                  File Type:Matlab v4 mat-file (little endian) \260\260\260, numeric, rows 175, columns 640024782, imaginary
                                                  Category:dropped
                                                  Size (bytes):5446
                                                  Entropy (8bit):4.783831678395652
                                                  Encrypted:false
                                                  SSDEEP:96:Omc7iiRgxbsSiQlfb4qQbgvMyAPkNhnlXOpo8/XEKpGFWqG02:dB6VQlfbnmgvSPkzlXOd/XEKrrX
                                                  MD5:5D479B8253A73120FFAF15D5A08DFF32
                                                  SHA1:969526C8E82E2F103734DE4155A51B3BCC78558C
                                                  SHA-256:4681F0FC679934F38909309D25CBD3097CC15D6451006F406B2DE93A31F62AE0
                                                  SHA-512:4D7FF92EB936D2328CCB83CB376CCC8868FF1E6F8FDE99D6F694F7A5A7C087801B0052B2950EC8AF411817A55021E38C75BB03EA0F4FE250009A2FA0F16D0BB7
                                                  Malicious:false
                                                  Preview:..........&&&.........................4......4..................~..VVV.......................................................................................................................................................................................................................................................................................J...4...................JJ.FFFFF.............h.###................................................"""...cccc...........................}....k.....i........DDD.hh....................D........JJJJJ..PPP..........R.q............3........))))..............S......................)))......[......O......cc..........u.@@@@@....q.........................^^..........3.......................bb.....................[[.........@@.....]]]......................................,.H.e....GGGGG..................T.....@@@@......./.....W....ww.............88........w...........).........c.....................00...0.....

                                                  C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes\monopylaea.txt

                                                  Download File
                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):346
                                                  Entropy (8bit):4.268352562006007
                                                  Encrypted:false
                                                  SSDEEP:6:eMBMSmF/MTCaCIYIE42xIsnCRAbA3C6rNzxU2PrmCPAyEzFE:eMBMSmFlv9xIqCoA399xU9FE
                                                  MD5:D378C78EBC1A9D40DA5E104B7D7D7E22
                                                  SHA1:9AA3FC54431533BE92C2C39A025B040CAF20E1DD
                                                  SHA-256:E5ED569DABF0C53A829B15785CCEF9B64093381381850C395E12CB72F66EB342
                                                  SHA-512:FF2A297C6969F9166A046EF95893DE9327A8AF19EA50BE8D163D48F46549312E6E0F40C0944829A6E2974A016A62261864668059B380803F8C40CE4306F43144
                                                  Malicious:false
                                                  Preview:uselvstndig fuglegrs kontingentbwr.lednings kupforsg drearies fagmandens.arnottos bowery ninetyknot strumaticness cystein tragion parodial stdfangeren tonsillen..stjkildes syringium ablesse studinerne.furnishings spejlkabinettets parentesstrukturernes undvrligt lithotriptor progs,cicatrix sancties longboat bjergkderne udeerhvervs salgsperioden.

                                                  C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\frousty.gil

                                                  Download File
                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):222294
                                                  Entropy (8bit):1.2577793212036361
                                                  Encrypted:false
                                                  SSDEEP:768:CRqvVaI4KC9RxN9T9vtnvZn0daCx2DLwbM+4xArw7pwAoOpZKFvb/me1P3TetAJt:I7nF9oX4+rwZeTNl1RR
                                                  MD5:14FEF3D8F0F6E481B60A7FA7F6B94033
                                                  SHA1:2021E349D958D63EAC148A2DC82479A8B31F5E1E
                                                  SHA-256:726E6DF9C645C59EEF4E8F3576F3F8A6D7124B51F4B9E24F4425EF1859B01894
                                                  SHA-512:CC36AD4A90148A9B608C6DE1FAC39311E49B61D002437FD68D1960B76F6194CA94C1110B708E33B33D58B0919471E3AD1AD83D9E0E9AAB51B07FB4FFF0681A55
                                                  Malicious:false
                                                  Preview:......................................D.T...................................................(...............=.........................(...........e.................E....................................................?............J......7.............r.......&......Z.........................Y....p.................c.......de..................................................#....................../.......Q......r......................................`...o...............................g.........................................................V...................o.............V........7.........y...........................m.....C..L.......................3.........?............................{..........................................|Q..v.............................../........................Wp......................................F......................3..h.................................................................................&..........................{..........Q......O..

                                                  C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):11264
                                                  Entropy (8bit):5.76781505116372
                                                  Encrypted:false
                                                  SSDEEP:192:MPtkumJX7zBE2kGwfy9S9VkPsFQ1Mx1c:97O2k5q9wA1Mxa
                                                  MD5:55A26D7800446F1373056064C64C3CE8
                                                  SHA1:80256857E9A0A9C8897923B717F3435295A76002
                                                  SHA-256:904FD5481D72F4E03B01A455F848DEDD095D0FB17E33608E0D849F5196FB6FF8
                                                  SHA-512:04B8AB7A85C26F188C0A06F524488D6F2AC2884BF107C860C82E94AE12C3859F825133D78338FD2B594DFC48F7DC9888AE76FEE786C6252A5C77C88755128A5B
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: aMfizaMilo.exe, Detection: malicious, Browse
                                                  • Filename: 1ppvR5VRT6.exe, Detection: malicious, Browse
                                                  • Filename: Ozb8aojWew.exe, Detection: malicious, Browse
                                                  • Filename: aMfizaMilo.exe, Detection: malicious, Browse
                                                  • Filename: 1ppvR5VRT6.exe, Detection: malicious, Browse
                                                  • Filename: Ozb8aojWew.exe, Detection: malicious, Browse
                                                  • Filename: Documents.com.exe, Detection: malicious, Browse
                                                  • Filename: Documents.com.exe, Detection: malicious, Browse
                                                  • Filename: 27062024-322copy.exe, Detection: malicious, Browse
                                                  • Filename: 27062024-322copy.exe, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L...R..Y...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..^....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\nsExec.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):6656
                                                  Entropy (8bit):4.994818958746835
                                                  Encrypted:false
                                                  SSDEEP:96:f7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNPS3e:zXhHR0aTQN4gRHdMqJVgNPR
                                                  MD5:B38561661A7164E3BBB04EDC3718FE89
                                                  SHA1:F13C873C8DB121BA21244B1E9A457204360D543F
                                                  SHA-256:C2C88E4A32C734B0CB4AE507C1A9A1B417A2375079111FB1B35FAB23AEDD41D9
                                                  SHA-512:FEDCAAC20722DE3519382011CCF22314AF3EDCD11B69F814DB14710966853B69B9B5FC98383EDCDB64D050FF825264EABA27B1C5ADFE61D1FC9D77F13A052CED
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: Shipping documents 000288488599900.img, Detection: malicious, Browse
                                                  • Filename: Zincize.exe, Detection: malicious, Browse
                                                  • Filename: Zincize.exe, Detection: malicious, Browse
                                                  • Filename: r14836901-5B4A-.exe, Detection: malicious, Browse
                                                  • Filename: r14836901-5B4A-.exe, Detection: malicious, Browse
                                                  • Filename: Bootblacks.exe, Detection: malicious, Browse
                                                  • Filename: Bootblacks.exe, Detection: malicious, Browse
                                                  • Filename: Halkbank_Ekstre_06535798_98742134.pdf.exe, Detection: malicious, Browse
                                                  • Filename: Halkbank_Ekstre_87762122_97575533.pdf.exe, Detection: malicious, Browse
                                                  • Filename: z6RemittanceAdvise.exe, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L...P..Y...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                  Entropy (8bit):7.763622792773295
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:asXlZG3aW6.exe
                                                  File size:292'592 bytes
                                                  MD5:51bfab682069e4e7a2ba7b8379d3927b
                                                  SHA1:852ac154d253e128199c7cf766d74ac8a6e9d146
                                                  SHA256:0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
                                                  SHA512:fda596272ca81d10d8d3c6e029d83395d7f305636f1a21e3fe147f8751c52dc162b21bfcf6fcc0fa09d0c2bddb01e665473a1536c62bab605c5402996f64b8bf
                                                  SSDEEP:3072:2wDijpS4DbYccZDMH/VQRTibm2WZadkXXh+gtCyk+CebDbVs9MNoe2jDwwY9ZM+5:2FYVMH/8gm2kBA0bOKq/j0w6MpdyU
                                                  TLSH:6F540242FFA1C937CDB9473104799F6BAB728E2085426B87B3643F1E3C5319246AE306
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...z..Y.................d...|.....

                                                  File Icon

                                                  Icon Hash:0b397c94d451730f

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4031f1
                                                  Entrypoint Section:.text
                                                  Digitally signed:true
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x597FCC7A [Tue Aug 1 00:34:02 2017 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:3abe302b6d9a1256e6a915429af4ffd2

                                                  Authenticode Signature

                                                  Signature Valid:false
                                                  Signature Issuer:CN="xylografen taxiflyvningerne ", O=Eksaminationers, L=Tardinghen, S=Hauts-de-France, C=FR
                                                  Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                  Error Number:-2146762487
                                                  Not Before, Not After
                                                  • 20/12/2023 03:48:51 19/12/2026 03:48:51
                                                  Subject Chain
                                                  • CN="xylografen taxiflyvningerne ", O=Eksaminationers, L=Tardinghen, S=Hauts-de-France, C=FR
                                                  Version:3
                                                  Thumbprint MD5:1FD958E7FB10BCC3C84CB77EA385F242
                                                  Thumbprint SHA-1:21DBA15B04835DD8C468C0B729FCA0A240CB8746
                                                  Thumbprint SHA-256:A9273EAF8B8C14D37A0844ED7629802AC8C89F03E6874844922B012F12E84381
                                                  Serial:0133359A3AD4FC68D1F12D855EF725D383676E2B

                                                  Entrypoint Preview

                                                  Instruction
                                                  sub esp, 00000184h
                                                  push ebx
                                                  push esi
                                                  push edi
                                                  xor ebx, ebx
                                                  push 00008001h
                                                  mov dword ptr [esp+18h], ebx
                                                  mov dword ptr [esp+10h], 0040A198h
                                                  mov dword ptr [esp+20h], ebx
                                                  mov byte ptr [esp+14h], 00000020h
                                                  call dword ptr [004080A0h]
                                                  call dword ptr [0040809Ch]
                                                  and eax, BFFFFFFFh
                                                  cmp ax, 00000006h
                                                  mov dword ptr [0042F40Ch], eax
                                                  je 00007F325511FCA3h
                                                  push ebx
                                                  call 00007F3255122D5Ah
                                                  cmp eax, ebx
                                                  je 00007F325511FC99h
                                                  push 00000C00h
                                                  call eax
                                                  mov esi, 00408298h
                                                  push esi
                                                  call 00007F3255122CD6h
                                                  push esi
                                                  call dword ptr [00408098h]
                                                  lea esi, dword ptr [esi+eax+01h]
                                                  cmp byte ptr [esi], bl
                                                  jne 00007F325511FC7Dh
                                                  push 0000000Ah
                                                  call 00007F3255122D2Eh
                                                  push 00000008h
                                                  call 00007F3255122D27h
                                                  push 00000006h
                                                  mov dword ptr [0042F404h], eax
                                                  call 00007F3255122D1Bh
                                                  cmp eax, ebx
                                                  je 00007F325511FCA1h
                                                  push 0000001Eh
                                                  call eax
                                                  test eax, eax
                                                  je 00007F325511FC99h
                                                  or byte ptr [0042F40Fh], 00000040h
                                                  push ebp
                                                  call dword ptr [00408044h]
                                                  push ebx
                                                  call dword ptr [00408288h]
                                                  mov dword ptr [0042F4D8h], eax
                                                  push ebx
                                                  lea eax, dword ptr [esp+38h]
                                                  push 00000160h
                                                  push eax
                                                  push ebx
                                                  push 00429830h
                                                  call dword ptr [00408178h]
                                                  push 0040A188h

                                                  Rich Headers

                                                  Programming Language:
                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85340xa0.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x420000x9220.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x46d500x9a0.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x298.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x62540x6400d550b03059038df9bf82548da8080ff6False0.6676171875data6.4338643172916266IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x80000x13540x14005143a41b917c20afc11d259fd85b6ffcFalse0.4599609375data5.236269898436511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0xa0000x255180x6004c97d95c0fc95b712d16eb7b0ee5a871False0.4557291666666667data4.044625496015545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .ndata0x300000x120000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x420000x92200x94008c49359dc2f10c4880e9ad8ff14ecafeFalse0.6563819679054054data5.825257334851781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x422980x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.6507439773264053
                                                  RT_ICON0x464c00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.6897302904564315
                                                  RT_ICON0x48a680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.74906191369606
                                                  RT_ICON0x49b100x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.7922131147540984
                                                  RT_ICON0x4a4980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8519503546099291
                                                  RT_DIALOG0x4a9000x100dataEnglishUnited States0.5234375
                                                  RT_DIALOG0x4aa000x11cdataEnglishUnited States0.6056338028169014
                                                  RT_DIALOG0x4ab200x60dataEnglishUnited States0.7291666666666666
                                                  RT_GROUP_ICON0x4ab800x4cdataEnglishUnited States0.7763157894736842
                                                  RT_VERSION0x4abd00x30cdataEnglishUnited States0.4756410256410256
                                                  RT_MANIFEST0x4aee00x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                  Imports

                                                  DLLImport
                                                  KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                                  USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                                  GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                  SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                                  ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                  COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                  ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 8, 2024 16:42:20.646572113 CEST53527091.1.1.1192.168.2.9
                                                  Oct 8, 2024 16:42:51.335836887 CEST5363838162.159.36.2192.168.2.9
                                                  Oct 8, 2024 16:42:52.981456995 CEST53566011.1.1.1192.168.2.9
                                                  Oct 8, 2024 16:42:52.981586933 CEST53566011.1.1.1192.168.2.9

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:10:42:08
                                                  Start date:08/10/2024
                                                  Path:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\asXlZG3aW6.exe"
                                                  Imagebase:0x400000
                                                  File size:292'592 bytes
                                                  MD5 hash:51BFAB682069E4E7A2BA7B8379D3927B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.3947083499.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.3947083499.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3947414455.0000000004392000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:2
                                                  Start time:10:42:10
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "250^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:3
                                                  Start time:10:42:10
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:4
                                                  Start time:10:42:11
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "244^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:5
                                                  Start time:10:42:11
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:6
                                                  Start time:10:42:11
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "227^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:7
                                                  Start time:10:42:12
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:8
                                                  Start time:10:42:12
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "255^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:9
                                                  Start time:10:42:12
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:10
                                                  Start time:10:42:12
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "244^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:11
                                                  Start time:10:42:12
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:12
                                                  Start time:10:42:13
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "253^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:13
                                                  Start time:10:42:13
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:14
                                                  Start time:10:42:13
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "130^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:15
                                                  Start time:10:42:13
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:16
                                                  Start time:10:42:13
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "131^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:17
                                                  Start time:10:42:13
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:18
                                                  Start time:10:42:13
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "139^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:19
                                                  Start time:10:42:13
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:20
                                                  Start time:10:42:13
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "139^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:21
                                                  Start time:10:42:13
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:22
                                                  Start time:10:42:13
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "242^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:23
                                                  Start time:10:42:13
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:24
                                                  Start time:10:42:14
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "195^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:25
                                                  Start time:10:42:14
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:26
                                                  Start time:10:42:14
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "212^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:27
                                                  Start time:10:42:14
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:28
                                                  Start time:10:42:14
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "208^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:29
                                                  Start time:10:42:14
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:30
                                                  Start time:10:42:14
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "197^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:31
                                                  Start time:10:42:14
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:32
                                                  Start time:10:42:14
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "212^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:33
                                                  Start time:10:42:14
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:34
                                                  Start time:10:42:15
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "247^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:35
                                                  Start time:10:42:15
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:36
                                                  Start time:10:42:15
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "216^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:37
                                                  Start time:10:42:15
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:38
                                                  Start time:10:42:15
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "221^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:39
                                                  Start time:10:42:15
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:40
                                                  Start time:10:42:15
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "212^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:41
                                                  Start time:10:42:15
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:42
                                                  Start time:10:42:15
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "240^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:43
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:44
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "153^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:45
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:46
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "220^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:47
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:48
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "145^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:49
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:50
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "195^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:51
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:52
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "133^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:53
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:54
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "145^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:55
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:56
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "157^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:57
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:58
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "145^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:59
                                                  Start time:10:42:16
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:60
                                                  Start time:10:42:17
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "216^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:61
                                                  Start time:10:42:17
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:62
                                                  Start time:10:42:17
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "145^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:63
                                                  Start time:10:42:17
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:64
                                                  Start time:10:42:17
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "129^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:65
                                                  Start time:10:42:17
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:66
                                                  Start time:10:42:17
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "201^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:67
                                                  Start time:10:42:17
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:68
                                                  Start time:10:42:18
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "137^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:69
                                                  Start time:10:42:18
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:71
                                                  Start time:10:42:18
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "129^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:72
                                                  Start time:10:42:18
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:73
                                                  Start time:10:42:18
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "129^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:74
                                                  Start time:10:42:18
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:75
                                                  Start time:10:42:18
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "129^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:76
                                                  Start time:10:42:18
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:77
                                                  Start time:10:42:18
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "129^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:78
                                                  Start time:10:42:18
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:79
                                                  Start time:10:42:19
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "129^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:80
                                                  Start time:10:42:19
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:81
                                                  Start time:10:42:19
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "129^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:82
                                                  Start time:10:42:19
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:83
                                                  Start time:10:42:19
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "129^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:84
                                                  Start time:10:42:19
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:85
                                                  Start time:10:42:19
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "157^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:86
                                                  Start time:10:42:19
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:87
                                                  Start time:10:42:19
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "145^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:88
                                                  Start time:10:42:19
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:89
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "216^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:90
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:91
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "145^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:92
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:93
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "129^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:94
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:95
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "157^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:96
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:97
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "145^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:98
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:99
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "193^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:100
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:101
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "145^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:102
                                                  Start time:10:42:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:103
                                                  Start time:10:42:21
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "129^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:104
                                                  Start time:10:42:21
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:105
                                                  Start time:10:42:21
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "157^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:106
                                                  Start time:10:42:21
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:107
                                                  Start time:10:42:21
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "145^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:108
                                                  Start time:10:42:21
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:109
                                                  Start time:10:42:21
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "216^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:110
                                                  Start time:10:42:21
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:111
                                                  Start time:10:42:21
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "145^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:112
                                                  Start time:10:42:21
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:113
                                                  Start time:10:42:21
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "133^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:114
                                                  Start time:10:42:22
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:115
                                                  Start time:10:42:22
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "157^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:116
                                                  Start time:10:42:22
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:117
                                                  Start time:10:42:22
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "145^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:118
                                                  Start time:10:42:22
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:119
                                                  Start time:10:42:22
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "216^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:120
                                                  Start time:10:42:22
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:121
                                                  Start time:10:42:23
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "145^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:122
                                                  Start time:10:42:23
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:123
                                                  Start time:10:42:23
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "129^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:124
                                                  Start time:10:42:23
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:125
                                                  Start time:10:42:24
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "201^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:126
                                                  Start time:10:42:24
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:127
                                                  Start time:10:42:24
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "137^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:128
                                                  Start time:10:42:24
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:129
                                                  Start time:10:42:24
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):
                                                  Commandline:cmd.exe /c set /a "129^177"
                                                  Imagebase:
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:130
                                                  Start time:10:42:24
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:22.5%
                                                    Dynamic/Decrypted Code Coverage:14.2%
                                                    Signature Coverage:20.1%
                                                    Total number of Nodes:1483
                                                    Total number of Limit Nodes:48
                                                    execution_graph 4772 10001000 4775 1000101b 4772->4775 4782 100014bb 4775->4782 4777 10001020 4778 10001024 4777->4778 4779 10001027 GlobalAlloc 4777->4779 4780 100014e2 3 API calls 4778->4780 4779->4778 4781 10001019 4780->4781 4784 100014c1 4782->4784 4783 100014c7 4783->4777 4784->4783 4785 100014d3 GlobalFree 4784->4785 4785->4777 3753 4025c4 3754 402a9f 17 API calls 3753->3754 3755 4025ce 3754->3755 3757 40263e 3755->3757 3759 40264e 3755->3759 3761 40263c 3755->3761 3762 405b76 ReadFile 3755->3762 3764 405ec3 wsprintfA 3757->3764 3760 402664 SetFilePointer 3759->3760 3759->3761 3760->3761 3763 405b94 3762->3763 3763->3755 3764->3761 3793 402245 3794 402ac1 17 API calls 3793->3794 3795 40224b 3794->3795 3796 402ac1 17 API calls 3795->3796 3797 402254 3796->3797 3798 402ac1 17 API calls 3797->3798 3799 40225d 3798->3799 3808 406268 FindFirstFileA 3799->3808 3802 402277 lstrlenA lstrlenA 3804 40508c 24 API calls 3802->3804 3805 4022b3 SHFileOperationA 3804->3805 3806 40226a 3805->3806 3807 402272 3805->3807 3811 40508c 3806->3811 3809 402266 3808->3809 3810 40627e FindClose 3808->3810 3809->3802 3809->3806 3810->3809 3812 4050a7 3811->3812 3821 40514a 3811->3821 3813 4050c4 lstrlenA 3812->3813 3814 405f87 17 API calls 3812->3814 3815 4050d2 lstrlenA 3813->3815 3816 4050ed 3813->3816 3814->3813 3817 4050e4 lstrcatA 3815->3817 3815->3821 3818 405100 3816->3818 3819 4050f3 SetWindowTextA 3816->3819 3817->3816 3820 405106 SendMessageA SendMessageA SendMessageA 3818->3820 3818->3821 3819->3818 3820->3821 3821->3807 4786 4028c5 4787 402a9f 17 API calls 4786->4787 4788 4028cb 4787->4788 4789 402900 4788->4789 4791 402716 4788->4791 4792 4028dd 4788->4792 4790 405f87 17 API calls 4789->4790 4789->4791 4790->4791 4792->4791 4794 405ec3 wsprintfA 4792->4794 4794->4791 3830 401746 3831 402ac1 17 API calls 3830->3831 3832 40174d 3831->3832 3836 405b2d 3832->3836 3834 401754 3835 405b2d 2 API calls 3834->3835 3835->3834 3837 405b38 GetTickCount GetTempFileNameA 3836->3837 3838 405b69 3837->3838 3839 405b65 3837->3839 3838->3834 3839->3837 3839->3838 4795 4022c7 4796 4022ce 4795->4796 4800 4022e1 4795->4800 4797 405f87 17 API calls 4796->4797 4798 4022db 4797->4798 4799 405681 MessageBoxIndirectA 4798->4799 4799->4800 4801 401947 4802 402ac1 17 API calls 4801->4802 4803 40194e lstrlenA 4802->4803 4804 402577 4803->4804 3840 10002709 3841 10002759 3840->3841 3842 10002719 VirtualProtect 3840->3842 3842->3841 3843 4051ca 3844 405375 3843->3844 3845 4051ec GetDlgItem GetDlgItem GetDlgItem 3843->3845 3847 4053a5 3844->3847 3848 40537d GetDlgItem CreateThread CloseHandle 3844->3848 3889 40405b SendMessageA 3845->3889 3850 4053d3 3847->3850 3852 4053f4 3847->3852 3853 4053bb ShowWindow ShowWindow 3847->3853 3848->3847 3912 40515e OleInitialize 3848->3912 3849 40525c 3857 405263 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3849->3857 3851 4053db 3850->3851 3858 40542e 3850->3858 3854 4053e3 3851->3854 3855 405407 ShowWindow 3851->3855 3898 40408d 3852->3898 3894 40405b SendMessageA 3853->3894 3895 403fff 3854->3895 3862 405427 3855->3862 3863 405419 3855->3863 3864 4052d1 3857->3864 3865 4052b5 SendMessageA SendMessageA 3857->3865 3858->3852 3866 40543b SendMessageA 3858->3866 3861 405400 3868 403fff SendMessageA 3862->3868 3867 40508c 24 API calls 3863->3867 3869 4052e4 3864->3869 3870 4052d6 SendMessageA 3864->3870 3865->3864 3866->3861 3871 405454 CreatePopupMenu 3866->3871 3867->3862 3868->3858 3890 404026 3869->3890 3870->3869 3873 405f87 17 API calls 3871->3873 3874 405464 AppendMenuA 3873->3874 3876 405482 GetWindowRect 3874->3876 3877 405495 TrackPopupMenu 3874->3877 3875 4052f4 3878 405331 GetDlgItem SendMessageA 3875->3878 3879 4052fd ShowWindow 3875->3879 3876->3877 3877->3861 3880 4054b1 3877->3880 3878->3861 3882 405358 SendMessageA SendMessageA 3878->3882 3881 405313 ShowWindow 3879->3881 3884 405320 3879->3884 3883 4054d0 SendMessageA 3880->3883 3881->3884 3882->3861 3883->3883 3885 4054ed OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3883->3885 3893 40405b SendMessageA 3884->3893 3887 40550f SendMessageA 3885->3887 3887->3887 3888 405531 GlobalUnlock SetClipboardData CloseClipboard 3887->3888 3888->3861 3889->3849 3891 405f87 17 API calls 3890->3891 3892 404031 SetDlgItemTextA 3891->3892 3892->3875 3893->3878 3894->3850 3896 404006 3895->3896 3897 40400c SendMessageA 3895->3897 3896->3897 3897->3852 3899 4040a5 GetWindowLongA 3898->3899 3909 40412e 3898->3909 3900 4040b6 3899->3900 3899->3909 3901 4040c5 GetSysColor 3900->3901 3902 4040c8 3900->3902 3901->3902 3903 4040d8 SetBkMode 3902->3903 3904 4040ce SetTextColor 3902->3904 3905 4040f0 GetSysColor 3903->3905 3906 4040f6 3903->3906 3904->3903 3905->3906 3907 404107 3906->3907 3908 4040fd SetBkColor 3906->3908 3907->3909 3910 404121 CreateBrushIndirect 3907->3910 3911 40411a DeleteObject 3907->3911 3908->3907 3909->3861 3910->3909 3911->3910 3919 404072 3912->3919 3914 405181 3918 4051a8 3914->3918 3922 401389 3914->3922 3915 404072 SendMessageA 3916 4051ba OleUninitialize 3915->3916 3918->3915 3920 40408a 3919->3920 3921 40407b SendMessageA 3919->3921 3920->3914 3921->3920 3924 401390 3922->3924 3923 4013fe 3923->3914 3924->3923 3925 4013cb MulDiv SendMessageA 3924->3925 3925->3924 4808 4020cb 4809 402ac1 17 API calls 4808->4809 4810 4020d2 4809->4810 4811 402ac1 17 API calls 4810->4811 4812 4020dc 4811->4812 4813 402ac1 17 API calls 4812->4813 4814 4020e6 4813->4814 4815 402ac1 17 API calls 4814->4815 4816 4020f0 4815->4816 4817 402ac1 17 API calls 4816->4817 4818 4020fa 4817->4818 4819 40213c CoCreateInstance 4818->4819 4820 402ac1 17 API calls 4818->4820 4823 40215b 4819->4823 4825 402206 4819->4825 4820->4819 4821 401423 24 API calls 4822 40223c 4821->4822 4824 4021e6 MultiByteToWideChar 4823->4824 4823->4825 4824->4825 4825->4821 4825->4822 4826 1000180d 4827 10001830 4826->4827 4828 10001860 GlobalFree 4827->4828 4829 10001872 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 4827->4829 4828->4829 4830 10001266 2 API calls 4829->4830 4831 100019e3 GlobalFree GlobalFree 4830->4831 4832 4026ce 4833 4026d4 4832->4833 4834 4026d8 FindNextFileA 4833->4834 4836 4026ea 4833->4836 4835 402729 4834->4835 4834->4836 4838 405f65 lstrcpynA 4835->4838 4838->4836 4839 40444f 4840 404485 4839->4840 4841 40445f 4839->4841 4843 40408d 8 API calls 4840->4843 4842 404026 18 API calls 4841->4842 4844 40446c SetDlgItemTextA 4842->4844 4845 404491 4843->4845 4844->4840 4846 4023d0 4847 402ac1 17 API calls 4846->4847 4848 4023e2 4847->4848 4849 402ac1 17 API calls 4848->4849 4850 4023ec 4849->4850 4863 402b51 4850->4863 4853 402716 4854 402421 4856 40242d 4854->4856 4858 402a9f 17 API calls 4854->4858 4855 402ac1 17 API calls 4857 40241a lstrlenA 4855->4857 4859 40244c RegSetValueExA 4856->4859 4860 402f81 31 API calls 4856->4860 4857->4854 4858->4856 4861 402462 RegCloseKey 4859->4861 4860->4859 4861->4853 4864 402b6c 4863->4864 4867 405e19 4864->4867 4868 405e28 4867->4868 4869 405e33 RegCreateKeyExA 4868->4869 4870 4023fc 4868->4870 4869->4870 4870->4853 4870->4854 4870->4855 4397 403b52 4398 403ca5 4397->4398 4399 403b6a 4397->4399 4401 403cb6 GetDlgItem GetDlgItem 4398->4401 4410 403cf6 4398->4410 4399->4398 4400 403b76 4399->4400 4402 403b81 SetWindowPos 4400->4402 4403 403b94 4400->4403 4404 404026 18 API calls 4401->4404 4402->4403 4407 403bb1 4403->4407 4408 403b99 ShowWindow 4403->4408 4409 403ce0 SetClassLongA 4404->4409 4405 403d50 4406 404072 SendMessageA 4405->4406 4415 403ca0 4405->4415 4438 403d62 4406->4438 4411 403bd3 4407->4411 4412 403bb9 DestroyWindow 4407->4412 4408->4407 4413 40140b 2 API calls 4409->4413 4410->4405 4414 401389 2 API calls 4410->4414 4417 403bd8 SetWindowLongA 4411->4417 4418 403be9 4411->4418 4416 403faf 4412->4416 4413->4410 4419 403d28 4414->4419 4416->4415 4426 403fe0 ShowWindow 4416->4426 4417->4415 4422 403c92 4418->4422 4423 403bf5 GetDlgItem 4418->4423 4419->4405 4424 403d2c SendMessageA 4419->4424 4420 40140b 2 API calls 4420->4438 4421 403fb1 DestroyWindow EndDialog 4421->4416 4425 40408d 8 API calls 4422->4425 4427 403c25 4423->4427 4428 403c08 SendMessageA IsWindowEnabled 4423->4428 4424->4415 4425->4415 4426->4415 4430 403c32 4427->4430 4431 403c79 SendMessageA 4427->4431 4432 403c45 4427->4432 4441 403c2a 4427->4441 4428->4415 4428->4427 4429 405f87 17 API calls 4429->4438 4430->4431 4430->4441 4431->4422 4435 403c62 4432->4435 4436 403c4d 4432->4436 4433 403fff SendMessageA 4437 403c60 4433->4437 4434 404026 18 API calls 4434->4438 4440 40140b 2 API calls 4435->4440 4439 40140b 2 API calls 4436->4439 4437->4422 4438->4415 4438->4420 4438->4421 4438->4429 4438->4434 4443 404026 18 API calls 4438->4443 4459 403ef1 DestroyWindow 4438->4459 4439->4441 4442 403c69 4440->4442 4441->4433 4442->4422 4442->4441 4444 403ddd GetDlgItem 4443->4444 4445 403df2 4444->4445 4446 403dfa ShowWindow KiUserCallbackDispatcher 4444->4446 4445->4446 4468 404048 KiUserCallbackDispatcher 4446->4468 4448 403e24 EnableWindow 4453 403e38 4448->4453 4449 403e3d GetSystemMenu EnableMenuItem SendMessageA 4450 403e6d SendMessageA 4449->4450 4449->4453 4450->4453 4452 403b33 18 API calls 4452->4453 4453->4449 4453->4452 4469 40405b SendMessageA 4453->4469 4470 405f65 lstrcpynA 4453->4470 4455 403e9c lstrlenA 4456 405f87 17 API calls 4455->4456 4457 403ead SetWindowTextA 4456->4457 4458 401389 2 API calls 4457->4458 4458->4438 4459->4416 4460 403f0b CreateDialogParamA 4459->4460 4460->4416 4461 403f3e 4460->4461 4462 404026 18 API calls 4461->4462 4463 403f49 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4462->4463 4464 401389 2 API calls 4463->4464 4465 403f8f 4464->4465 4465->4415 4466 403f97 ShowWindow 4465->4466 4467 404072 SendMessageA 4466->4467 4467->4416 4468->4448 4469->4453 4470->4455 4871 401cd4 4872 402a9f 17 API calls 4871->4872 4873 401cda IsWindow 4872->4873 4874 401a0e 4873->4874 4875 4014d6 4876 402a9f 17 API calls 4875->4876 4877 4014dc Sleep 4876->4877 4879 402951 4877->4879 4487 401759 4488 402ac1 17 API calls 4487->4488 4489 401760 4488->4489 4490 401786 4489->4490 4491 40177e 4489->4491 4528 405f65 lstrcpynA 4490->4528 4527 405f65 lstrcpynA 4491->4527 4494 401784 4498 4061cf 5 API calls 4494->4498 4495 401791 4496 4058fd 3 API calls 4495->4496 4497 401797 lstrcatA 4496->4497 4497->4494 4523 4017a3 4498->4523 4499 4017e4 4501 405ad9 2 API calls 4499->4501 4500 406268 2 API calls 4500->4523 4501->4523 4503 4017ba CompareFileTime 4503->4523 4504 40187e 4506 40508c 24 API calls 4504->4506 4505 401855 4507 40508c 24 API calls 4505->4507 4525 40186a 4505->4525 4508 401888 4506->4508 4507->4525 4509 402f81 31 API calls 4508->4509 4510 40189b 4509->4510 4512 4018af SetFileTime 4510->4512 4513 4018c1 CloseHandle 4510->4513 4511 405f65 lstrcpynA 4511->4523 4512->4513 4515 4018d2 4513->4515 4513->4525 4514 405f87 17 API calls 4514->4523 4516 4018d7 4515->4516 4517 4018ea 4515->4517 4518 405f87 17 API calls 4516->4518 4519 405f87 17 API calls 4517->4519 4521 4018df lstrcatA 4518->4521 4522 4018f2 4519->4522 4520 405681 MessageBoxIndirectA 4520->4523 4521->4522 4524 405681 MessageBoxIndirectA 4522->4524 4523->4499 4523->4500 4523->4503 4523->4504 4523->4505 4523->4511 4523->4514 4523->4520 4526 405afe GetFileAttributesA CreateFileA 4523->4526 4524->4525 4526->4523 4527->4494 4528->4495 4880 401659 4881 402ac1 17 API calls 4880->4881 4882 40165f 4881->4882 4883 406268 2 API calls 4882->4883 4884 401665 4883->4884 4885 401959 4886 402a9f 17 API calls 4885->4886 4887 401960 4886->4887 4888 402a9f 17 API calls 4887->4888 4889 40196d 4888->4889 4890 402ac1 17 API calls 4889->4890 4891 401984 lstrlenA 4890->4891 4892 401994 4891->4892 4893 4019d4 4892->4893 4897 405f65 lstrcpynA 4892->4897 4895 4019c4 4895->4893 4896 4019c9 lstrlenA 4895->4896 4896->4893 4897->4895 4898 1000161a 4899 10001649 4898->4899 4900 10001a5d 18 API calls 4899->4900 4901 10001650 4900->4901 4902 10001663 4901->4902 4903 10001657 4901->4903 4905 1000168a 4902->4905 4906 1000166d 4902->4906 4904 10001266 2 API calls 4903->4904 4910 10001661 4904->4910 4908 10001690 4905->4908 4909 100016b4 4905->4909 4907 100014e2 3 API calls 4906->4907 4911 10001672 4907->4911 4912 10001559 3 API calls 4908->4912 4913 100014e2 3 API calls 4909->4913 4914 10001559 3 API calls 4911->4914 4915 10001695 4912->4915 4913->4910 4916 10001678 4914->4916 4917 10001266 2 API calls 4915->4917 4918 10001266 2 API calls 4916->4918 4919 1000169b GlobalFree 4917->4919 4920 1000167e GlobalFree 4918->4920 4919->4910 4921 100016af GlobalFree 4919->4921 4920->4910 4921->4910 4922 401f5b 4923 402ac1 17 API calls 4922->4923 4924 401f62 4923->4924 4925 4062fd 5 API calls 4924->4925 4926 401f71 4925->4926 4927 401ff1 4926->4927 4928 401f89 GlobalAlloc 4926->4928 4928->4927 4929 401f9d 4928->4929 4930 4062fd 5 API calls 4929->4930 4931 401fa4 4930->4931 4932 4062fd 5 API calls 4931->4932 4933 401fae 4932->4933 4933->4927 4937 405ec3 wsprintfA 4933->4937 4935 401fe5 4938 405ec3 wsprintfA 4935->4938 4937->4935 4938->4927 4939 40255b 4940 402ac1 17 API calls 4939->4940 4941 402562 4940->4941 4944 405afe GetFileAttributesA CreateFileA 4941->4944 4943 40256e 4944->4943 4945 401a5e 4946 402a9f 17 API calls 4945->4946 4947 401a64 4946->4947 4948 402a9f 17 API calls 4947->4948 4949 401a0e 4948->4949 4760 4024df 4761 402b01 17 API calls 4760->4761 4762 4024e9 4761->4762 4763 402a9f 17 API calls 4762->4763 4764 4024f2 4763->4764 4765 402500 4764->4765 4770 402716 4764->4770 4766 402519 RegEnumValueA 4765->4766 4767 40250d RegEnumKeyA 4765->4767 4768 402535 RegCloseKey 4766->4768 4769 40252e 4766->4769 4767->4768 4768->4770 4769->4768 4950 402c61 4951 402c70 SetTimer 4950->4951 4952 402c89 4950->4952 4951->4952 4953 402cde 4952->4953 4954 402ca3 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4952->4954 4954->4953 4955 401563 4956 4028f9 4955->4956 4959 405ec3 wsprintfA 4956->4959 4958 4028fe 4959->4958 4960 4047e7 4961 404813 4960->4961 4962 4047f7 4960->4962 4964 404846 4961->4964 4965 404819 SHGetPathFromIDListA 4961->4965 4971 405665 GetDlgItemTextA 4962->4971 4967 404830 SendMessageA 4965->4967 4968 404829 4965->4968 4966 404804 SendMessageA 4966->4961 4967->4964 4969 40140b 2 API calls 4968->4969 4969->4967 4971->4966 4972 40166a 4973 402ac1 17 API calls 4972->4973 4974 401671 4973->4974 4975 402ac1 17 API calls 4974->4975 4976 40167a 4975->4976 4977 402ac1 17 API calls 4976->4977 4978 401683 MoveFileA 4977->4978 4979 401696 4978->4979 4980 40168f 4978->4980 4982 406268 2 API calls 4979->4982 4984 40223c 4979->4984 4981 401423 24 API calls 4980->4981 4981->4984 4983 4016a5 4982->4983 4983->4984 4985 405d44 36 API calls 4983->4985 4985->4980 3926 40246d 3937 402b01 3926->3937 3929 402ac1 17 API calls 3930 402480 3929->3930 3931 40248a RegQueryValueExA 3930->3931 3932 402716 3930->3932 3933 4024b0 RegCloseKey 3931->3933 3934 4024aa 3931->3934 3933->3932 3934->3933 3942 405ec3 wsprintfA 3934->3942 3938 402ac1 17 API calls 3937->3938 3939 402b18 3938->3939 3940 405deb RegOpenKeyExA 3939->3940 3941 402477 3940->3941 3941->3929 3942->3933 4986 4019ed 4987 402ac1 17 API calls 4986->4987 4988 4019f4 4987->4988 4989 402ac1 17 API calls 4988->4989 4990 4019fd 4989->4990 4991 401a04 lstrcmpiA 4990->4991 4992 401a16 lstrcmpA 4990->4992 4993 401a0a 4991->4993 4992->4993 3943 40416f 3944 404185 3943->3944 3949 404291 3943->3949 3947 404026 18 API calls 3944->3947 3945 404300 3948 40430a GetDlgItem 3945->3948 3951 4043ca 3945->3951 3950 4041db 3947->3950 3952 404320 3948->3952 3953 404388 3948->3953 3949->3945 3949->3951 3954 4042d5 GetDlgItem SendMessageA 3949->3954 3955 404026 18 API calls 3950->3955 3956 40408d 8 API calls 3951->3956 3952->3953 3961 404346 SendMessageA LoadCursorA SetCursor 3952->3961 3953->3951 3957 40439a 3953->3957 3980 404048 KiUserCallbackDispatcher 3954->3980 3959 4041e8 CheckDlgButton 3955->3959 3960 4043c5 3956->3960 3962 4043a0 SendMessageA 3957->3962 3963 4043b1 3957->3963 3978 404048 KiUserCallbackDispatcher 3959->3978 3975 404413 3961->3975 3962->3963 3963->3960 3967 4043b7 SendMessageA 3963->3967 3964 4042fb 3981 4043ef 3964->3981 3967->3960 3969 404206 GetDlgItem 3979 40405b SendMessageA 3969->3979 3972 40421c SendMessageA 3973 404243 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3972->3973 3974 40423a GetSysColor 3972->3974 3973->3960 3974->3973 3984 405647 ShellExecuteExA 3975->3984 3977 404379 LoadCursorA SetCursor 3977->3953 3978->3969 3979->3972 3980->3964 3982 404402 SendMessageA 3981->3982 3983 4043fd 3981->3983 3982->3945 3983->3982 3984->3977 4994 40156f 4995 401586 4994->4995 4996 40157f ShowWindow 4994->4996 4997 402951 4995->4997 4998 401594 ShowWindow 4995->4998 4996->4995 4998->4997 3985 4031f1 SetErrorMode GetVersion 3986 403232 3985->3986 3987 403238 3985->3987 3988 4062fd 5 API calls 3986->3988 4076 40628f GetSystemDirectoryA 3987->4076 3988->3987 3990 40324e lstrlenA 3990->3987 3991 40325d 3990->3991 4079 4062fd GetModuleHandleA 3991->4079 3994 4062fd 5 API calls 3995 40326b 3994->3995 3996 4062fd 5 API calls 3995->3996 3997 403277 #17 OleInitialize SHGetFileInfoA 3996->3997 4085 405f65 lstrcpynA 3997->4085 4000 4032c3 GetCommandLineA 4086 405f65 lstrcpynA 4000->4086 4002 4032d5 GetModuleHandleA 4003 4032ec 4002->4003 4004 405928 CharNextA 4003->4004 4005 403300 CharNextA 4004->4005 4013 403310 4005->4013 4006 4033da 4007 4033ed GetTempPathA 4006->4007 4087 4031c0 4007->4087 4009 403405 4010 403409 GetWindowsDirectoryA lstrcatA 4009->4010 4011 40345f DeleteFileA 4009->4011 4014 4031c0 12 API calls 4010->4014 4097 402d48 GetTickCount GetModuleFileNameA 4011->4097 4012 405928 CharNextA 4012->4013 4013->4006 4013->4012 4017 4033dc 4013->4017 4016 403425 4014->4016 4016->4011 4019 403429 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 4016->4019 4192 405f65 lstrcpynA 4017->4192 4018 403473 4026 405928 CharNextA 4018->4026 4058 4034f9 4018->4058 4071 403509 4018->4071 4021 4031c0 12 API calls 4019->4021 4024 403457 4021->4024 4024->4011 4024->4071 4038 40348e 4026->4038 4027 403641 4030 4036c3 ExitProcess 4027->4030 4031 403649 GetCurrentProcess OpenProcessToken 4027->4031 4028 403523 4216 405681 4028->4216 4036 403694 4031->4036 4037 403664 LookupPrivilegeValueA AdjustTokenPrivileges 4031->4037 4034 4034d4 4193 4059eb 4034->4193 4035 403539 4181 4055ec 4035->4181 4041 4062fd 5 API calls 4036->4041 4037->4036 4038->4034 4038->4035 4044 40369b 4041->4044 4047 4036b0 ExitWindowsEx 4044->4047 4050 4036bc 4044->4050 4045 40355a lstrcatA lstrcmpiA 4049 403576 4045->4049 4045->4071 4046 40354f lstrcatA 4046->4045 4047->4030 4047->4050 4053 403582 4049->4053 4054 40357b 4049->4054 4229 40140b 4050->4229 4052 4034ee 4208 405f65 lstrcpynA 4052->4208 4225 4055cf CreateDirectoryA 4053->4225 4220 405552 CreateDirectoryA 4054->4220 4125 4037b5 4058->4125 4060 403587 SetCurrentDirectoryA 4061 4035a1 4060->4061 4062 403596 4060->4062 4184 405f65 lstrcpynA 4061->4184 4228 405f65 lstrcpynA 4062->4228 4065 405f87 17 API calls 4066 4035e0 DeleteFileA 4065->4066 4067 4035ed CopyFileA 4066->4067 4073 4035af 4066->4073 4067->4073 4068 403635 4069 405d44 36 API calls 4068->4069 4069->4071 4209 4036db 4071->4209 4072 405f87 17 API calls 4072->4073 4073->4065 4073->4068 4073->4072 4075 403621 CloseHandle 4073->4075 4185 405d44 MoveFileExA 4073->4185 4189 405604 CreateProcessA 4073->4189 4075->4073 4077 4062b1 wsprintfA LoadLibraryExA 4076->4077 4077->3990 4080 406323 GetProcAddress 4079->4080 4081 406319 4079->4081 4084 403264 4080->4084 4082 40628f 3 API calls 4081->4082 4083 40631f 4082->4083 4083->4080 4083->4084 4084->3994 4085->4000 4086->4002 4088 4061cf 5 API calls 4087->4088 4089 4031cc 4088->4089 4090 4031d6 4089->4090 4232 4058fd lstrlenA CharPrevA 4089->4232 4090->4009 4093 4055cf 2 API calls 4094 4031e4 4093->4094 4095 405b2d 2 API calls 4094->4095 4096 4031ef 4095->4096 4096->4009 4235 405afe GetFileAttributesA CreateFileA 4097->4235 4099 402d88 4117 402d98 4099->4117 4236 405f65 lstrcpynA 4099->4236 4101 402dae 4237 405944 lstrlenA 4101->4237 4105 402dbf GetFileSize 4106 402ebb 4105->4106 4119 402dd6 4105->4119 4242 402ce4 4106->4242 4108 402ec4 4110 402ef4 GlobalAlloc 4108->4110 4108->4117 4277 4031a9 SetFilePointer 4108->4277 4253 4031a9 SetFilePointer 4110->4253 4112 402f27 4116 402ce4 6 API calls 4112->4116 4114 402edd 4118 403193 ReadFile 4114->4118 4115 402f0f 4254 402f81 4115->4254 4116->4117 4117->4018 4121 402ee8 4118->4121 4119->4106 4119->4112 4119->4117 4122 402ce4 6 API calls 4119->4122 4274 403193 4119->4274 4121->4110 4121->4117 4122->4119 4123 402f1b 4123->4117 4123->4123 4124 402f58 SetFilePointer 4123->4124 4124->4117 4126 4062fd 5 API calls 4125->4126 4127 4037c9 4126->4127 4128 4037e1 4127->4128 4129 4037cf 4127->4129 4130 405e4c 3 API calls 4128->4130 4293 405ec3 wsprintfA 4129->4293 4131 40380c 4130->4131 4133 40382a lstrcatA 4131->4133 4135 405e4c 3 API calls 4131->4135 4134 4037df 4133->4134 4285 403a7a 4134->4285 4135->4133 4138 4059eb 18 API calls 4139 40385c 4138->4139 4140 4038e5 4139->4140 4142 405e4c 3 API calls 4139->4142 4141 4059eb 18 API calls 4140->4141 4143 4038eb 4141->4143 4144 403888 4142->4144 4145 4038fb LoadImageA 4143->4145 4146 405f87 17 API calls 4143->4146 4144->4140 4149 4038a4 lstrlenA 4144->4149 4153 405928 CharNextA 4144->4153 4147 4039a1 4145->4147 4148 403922 RegisterClassA 4145->4148 4146->4145 4152 40140b 2 API calls 4147->4152 4150 4039ab 4148->4150 4151 403958 SystemParametersInfoA CreateWindowExA 4148->4151 4154 4038b2 lstrcmpiA 4149->4154 4155 4038d8 4149->4155 4150->4071 4151->4147 4156 4039a7 4152->4156 4158 4038a2 4153->4158 4154->4155 4159 4038c2 GetFileAttributesA 4154->4159 4157 4058fd 3 API calls 4155->4157 4156->4150 4160 403a7a 18 API calls 4156->4160 4161 4038de 4157->4161 4158->4149 4162 4038ce 4159->4162 4163 4039b8 4160->4163 4294 405f65 lstrcpynA 4161->4294 4162->4155 4165 405944 2 API calls 4162->4165 4166 4039c4 ShowWindow 4163->4166 4167 403a47 4163->4167 4165->4155 4169 40628f 3 API calls 4166->4169 4168 40515e 5 API calls 4167->4168 4170 403a4d 4168->4170 4172 4039dc 4169->4172 4171 403a69 4170->4171 4174 403a51 4170->4174 4175 40140b 2 API calls 4171->4175 4173 4039ea GetClassInfoA 4172->4173 4176 40628f 3 API calls 4172->4176 4177 403a14 DialogBoxParamA 4173->4177 4178 4039fe GetClassInfoA RegisterClassA 4173->4178 4174->4150 4179 40140b 2 API calls 4174->4179 4175->4150 4176->4173 4180 40140b 2 API calls 4177->4180 4178->4177 4179->4150 4180->4150 4182 4062fd 5 API calls 4181->4182 4183 40353e lstrcatA 4182->4183 4183->4045 4183->4046 4184->4073 4186 405d65 4185->4186 4187 405d58 4185->4187 4186->4073 4299 405bd4 4187->4299 4190 405643 4189->4190 4191 405637 CloseHandle 4189->4191 4190->4073 4191->4190 4192->4007 4333 405f65 lstrcpynA 4193->4333 4195 4059fc 4334 405996 CharNextA CharNextA 4195->4334 4198 4034df 4198->4071 4207 405f65 lstrcpynA 4198->4207 4199 4061cf 5 API calls 4205 405a12 4199->4205 4200 405a3d lstrlenA 4201 405a48 4200->4201 4200->4205 4203 4058fd 3 API calls 4201->4203 4202 406268 2 API calls 4202->4205 4204 405a4d GetFileAttributesA 4203->4204 4204->4198 4205->4198 4205->4200 4205->4202 4206 405944 2 API calls 4205->4206 4206->4200 4207->4052 4208->4058 4210 4036f3 4209->4210 4211 4036e5 CloseHandle 4209->4211 4340 403720 4210->4340 4211->4210 4217 405696 4216->4217 4218 4056aa MessageBoxIndirectA 4217->4218 4219 403531 ExitProcess 4217->4219 4218->4219 4221 4055a3 GetLastError 4220->4221 4222 403580 4220->4222 4221->4222 4223 4055b2 SetFileSecurityA 4221->4223 4222->4060 4223->4222 4224 4055c8 GetLastError 4223->4224 4224->4222 4226 4055e3 GetLastError 4225->4226 4227 4055df 4225->4227 4226->4227 4227->4060 4228->4061 4230 401389 2 API calls 4229->4230 4231 401420 4230->4231 4231->4030 4233 4031de 4232->4233 4234 405917 lstrcatA 4232->4234 4233->4093 4234->4233 4235->4099 4236->4101 4238 405951 4237->4238 4239 402db4 4238->4239 4240 405956 CharPrevA 4238->4240 4241 405f65 lstrcpynA 4239->4241 4240->4238 4240->4239 4241->4105 4243 402d05 4242->4243 4244 402ced 4242->4244 4247 402d15 GetTickCount 4243->4247 4248 402d0d 4243->4248 4245 402cf6 DestroyWindow 4244->4245 4246 402cfd 4244->4246 4245->4246 4246->4108 4250 402d23 CreateDialogParamA ShowWindow 4247->4250 4251 402d46 4247->4251 4278 406339 4248->4278 4250->4251 4251->4108 4253->4115 4256 402f97 4254->4256 4255 402fc5 4258 403193 ReadFile 4255->4258 4256->4255 4284 4031a9 SetFilePointer 4256->4284 4259 402fd0 4258->4259 4260 402fe2 GetTickCount 4259->4260 4261 40312c 4259->4261 4263 403116 4259->4263 4260->4263 4270 403031 4260->4270 4262 40316e 4261->4262 4267 403130 4261->4267 4265 403193 ReadFile 4262->4265 4263->4123 4264 403193 ReadFile 4264->4270 4265->4263 4266 403193 ReadFile 4266->4267 4267->4263 4267->4266 4268 405ba5 WriteFile 4267->4268 4268->4267 4269 403087 GetTickCount 4269->4270 4270->4263 4270->4264 4270->4269 4271 4030ac MulDiv wsprintfA 4270->4271 4282 405ba5 WriteFile 4270->4282 4272 40508c 24 API calls 4271->4272 4272->4270 4275 405b76 ReadFile 4274->4275 4276 4031a6 4275->4276 4276->4119 4277->4114 4279 406356 PeekMessageA 4278->4279 4280 402d13 4279->4280 4281 40634c DispatchMessageA 4279->4281 4280->4108 4281->4279 4283 405bc3 4282->4283 4283->4270 4284->4255 4286 403a8e 4285->4286 4295 405ec3 wsprintfA 4286->4295 4288 403aff 4296 403b33 4288->4296 4290 40383a 4290->4138 4291 403b04 4291->4290 4292 405f87 17 API calls 4291->4292 4292->4291 4293->4134 4294->4140 4295->4288 4297 405f87 17 API calls 4296->4297 4298 403b41 SetWindowTextA 4297->4298 4298->4291 4300 405c20 GetShortPathNameA 4299->4300 4301 405bfa 4299->4301 4302 405c35 4300->4302 4303 405d3f 4300->4303 4326 405afe GetFileAttributesA CreateFileA 4301->4326 4302->4303 4306 405c3d wsprintfA 4302->4306 4303->4186 4305 405c04 CloseHandle GetShortPathNameA 4305->4303 4307 405c18 4305->4307 4308 405f87 17 API calls 4306->4308 4307->4300 4307->4303 4309 405c65 4308->4309 4327 405afe GetFileAttributesA CreateFileA 4309->4327 4311 405c72 4311->4303 4312 405c81 GetFileSize GlobalAlloc 4311->4312 4313 405ca3 4312->4313 4314 405d38 CloseHandle 4312->4314 4315 405b76 ReadFile 4313->4315 4314->4303 4316 405cab 4315->4316 4316->4314 4328 405a63 lstrlenA 4316->4328 4319 405cc2 lstrcpyA 4322 405ce4 4319->4322 4320 405cd6 4321 405a63 4 API calls 4320->4321 4321->4322 4323 405d1b SetFilePointer 4322->4323 4324 405ba5 WriteFile 4323->4324 4325 405d31 GlobalFree 4324->4325 4325->4314 4326->4305 4327->4311 4329 405aa4 lstrlenA 4328->4329 4330 405aac 4329->4330 4331 405a7d lstrcmpiA 4329->4331 4330->4319 4330->4320 4331->4330 4332 405a9b CharNextA 4331->4332 4332->4329 4333->4195 4335 4059b1 4334->4335 4337 4059c1 4334->4337 4335->4337 4338 4059bc CharNextA 4335->4338 4336 4059e1 4336->4198 4336->4199 4337->4336 4339 405928 CharNextA 4337->4339 4338->4336 4339->4337 4341 40372e 4340->4341 4342 4036f8 4341->4342 4343 403733 FreeLibrary GlobalFree 4341->4343 4344 40572d 4342->4344 4343->4342 4343->4343 4345 4059eb 18 API calls 4344->4345 4346 40574d 4345->4346 4347 405755 DeleteFileA 4346->4347 4348 40576c 4346->4348 4349 403512 OleUninitialize 4347->4349 4350 4058a4 4348->4350 4384 405f65 lstrcpynA 4348->4384 4349->4027 4349->4028 4350->4349 4355 406268 2 API calls 4350->4355 4352 405792 4353 4057a5 4352->4353 4354 405798 lstrcatA 4352->4354 4356 405944 2 API calls 4353->4356 4358 4057ab 4354->4358 4357 4058be 4355->4357 4356->4358 4357->4349 4360 4058c2 4357->4360 4359 4057b9 lstrcatA 4358->4359 4361 4057c4 lstrlenA FindFirstFileA 4358->4361 4359->4361 4362 4058fd 3 API calls 4360->4362 4363 40589a 4361->4363 4382 4057e8 4361->4382 4364 4058c8 4362->4364 4363->4350 4366 4056e5 5 API calls 4364->4366 4365 405928 CharNextA 4365->4382 4367 4058d4 4366->4367 4368 4058d8 4367->4368 4369 4058ee 4367->4369 4368->4349 4374 40508c 24 API calls 4368->4374 4372 40508c 24 API calls 4369->4372 4370 405879 FindNextFileA 4373 405891 FindClose 4370->4373 4370->4382 4372->4349 4373->4363 4375 4058e5 4374->4375 4376 405d44 36 API calls 4375->4376 4379 4058ec 4376->4379 4378 40572d 60 API calls 4378->4382 4379->4349 4380 40508c 24 API calls 4380->4370 4381 40508c 24 API calls 4381->4382 4382->4365 4382->4370 4382->4378 4382->4380 4382->4381 4383 405d44 36 API calls 4382->4383 4385 405f65 lstrcpynA 4382->4385 4386 4056e5 4382->4386 4383->4382 4384->4352 4385->4382 4394 405ad9 GetFileAttributesA 4386->4394 4389 405700 RemoveDirectoryA 4392 40570e 4389->4392 4390 405708 DeleteFileA 4390->4392 4391 405712 4391->4382 4392->4391 4393 40571e SetFileAttributesA 4392->4393 4393->4391 4395 4056f1 4394->4395 4396 405aeb SetFileAttributesA 4394->4396 4395->4389 4395->4390 4395->4391 4396->4395 4999 406372 WaitForSingleObject 5000 40638c 4999->5000 5001 40639e GetExitCodeProcess 5000->5001 5002 406339 2 API calls 5000->5002 5003 406393 WaitForSingleObject 5002->5003 5003->5000 5004 403773 5005 40377e 5004->5005 5006 403782 5005->5006 5007 403785 GlobalAlloc 5005->5007 5007->5006 5008 100015b3 5009 100014bb GlobalFree 5008->5009 5011 100015cb 5009->5011 5010 10001611 GlobalFree 5011->5010 5012 100015e6 5011->5012 5013 100015fd VirtualFree 5011->5013 5012->5010 5013->5010 5014 4014f4 SetForegroundWindow 5015 402951 5014->5015 5016 401cf5 5017 402a9f 17 API calls 5016->5017 5018 401cfc 5017->5018 5019 402a9f 17 API calls 5018->5019 5020 401d08 GetDlgItem 5019->5020 5021 402577 5020->5021 4477 4022f6 4478 402304 4477->4478 4479 4022fe 4477->4479 4481 402314 4478->4481 4482 402ac1 17 API calls 4478->4482 4480 402ac1 17 API calls 4479->4480 4480->4478 4484 402ac1 17 API calls 4481->4484 4486 402322 4481->4486 4482->4481 4483 402ac1 17 API calls 4485 40232b WritePrivateProfileStringA 4483->4485 4484->4486 4486->4483 5022 4026f8 5023 402ac1 17 API calls 5022->5023 5024 4026ff FindFirstFileA 5023->5024 5025 402722 5024->5025 5029 402712 5024->5029 5026 402729 5025->5026 5030 405ec3 wsprintfA 5025->5030 5031 405f65 lstrcpynA 5026->5031 5030->5026 5031->5029 4529 40237b 4530 402382 4529->4530 4531 4023ad 4529->4531 4532 402b01 17 API calls 4530->4532 4533 402ac1 17 API calls 4531->4533 4534 402389 4532->4534 4535 4023b4 4533->4535 4536 402393 4534->4536 4540 4023c1 4534->4540 4541 402b7f 4535->4541 4538 402ac1 17 API calls 4536->4538 4539 40239a RegDeleteValueA RegCloseKey 4538->4539 4539->4540 4542 402b95 4541->4542 4543 402bab 4542->4543 4545 402bb4 4542->4545 4543->4540 4546 405deb RegOpenKeyExA 4545->4546 4547 402be2 4546->4547 4548 402c08 RegEnumKeyA 4547->4548 4549 402c1f RegCloseKey 4547->4549 4550 402c40 RegCloseKey 4547->4550 4552 402bb4 6 API calls 4547->4552 4554 402c33 4547->4554 4548->4547 4548->4549 4551 4062fd 5 API calls 4549->4551 4550->4554 4553 402c2f 4551->4553 4552->4547 4553->4554 4555 402c4e RegDeleteKeyA 4553->4555 4554->4543 4555->4554 4579 401ffd 4580 40200f 4579->4580 4582 4020bd 4579->4582 4581 402ac1 17 API calls 4580->4581 4584 402016 4581->4584 4583 401423 24 API calls 4582->4583 4589 40223c 4583->4589 4585 402ac1 17 API calls 4584->4585 4586 40201f 4585->4586 4587 402034 LoadLibraryExA 4586->4587 4588 402027 GetModuleHandleA 4586->4588 4587->4582 4590 402044 GetProcAddress 4587->4590 4588->4587 4588->4590 4591 402090 4590->4591 4592 402053 4590->4592 4593 40508c 24 API calls 4591->4593 4594 402072 4592->4594 4595 40205b 4592->4595 4596 402063 4593->4596 4600 100016bd 4594->4600 4597 401423 24 API calls 4595->4597 4596->4589 4598 4020b1 FreeLibrary 4596->4598 4597->4596 4598->4589 4601 100016ed 4600->4601 4642 10001a5d 4601->4642 4603 100016f4 4604 1000180a 4603->4604 4605 10001705 4603->4605 4606 1000170c 4603->4606 4604->4596 4690 100021b0 4605->4690 4674 100021fa 4606->4674 4611 10001770 4616 100017b2 4611->4616 4617 10001776 4611->4617 4612 10001752 4703 100023d8 4612->4703 4613 10001722 4615 10001728 4613->4615 4620 10001733 4613->4620 4614 1000173b 4626 10001731 4614->4626 4700 10002a9f 4614->4700 4615->4626 4684 100027e4 4615->4684 4624 100023d8 11 API calls 4616->4624 4622 10001559 3 API calls 4617->4622 4619 10001758 4714 10001559 4619->4714 4694 10002587 4620->4694 4628 1000178c 4622->4628 4629 100017a4 4624->4629 4626->4611 4626->4612 4632 100023d8 11 API calls 4628->4632 4641 100017f9 4629->4641 4725 1000239e 4629->4725 4631 10001739 4631->4626 4632->4629 4636 10001803 GlobalFree 4636->4604 4638 100017e5 4638->4641 4729 100014e2 wsprintfA 4638->4729 4639 100017de FreeLibrary 4639->4638 4641->4604 4641->4636 4732 10001215 GlobalAlloc 4642->4732 4644 10001a81 4733 10001215 GlobalAlloc 4644->4733 4646 10001cbb GlobalFree GlobalFree GlobalFree 4647 10001cd8 4646->4647 4656 10001d22 4646->4656 4648 1000201a 4647->4648 4647->4656 4657 10001ced 4647->4657 4651 1000203c GetModuleHandleA 4648->4651 4648->4656 4649 10001b60 GlobalAlloc 4650 10001a8c 4649->4650 4650->4646 4650->4649 4652 10001bab lstrcpyA 4650->4652 4653 10001bc9 GlobalFree 4650->4653 4650->4656 4658 10001bb5 lstrcpyA 4650->4658 4661 10001f7a 4650->4661 4667 10001c07 4650->4667 4668 10001e75 GlobalFree 4650->4668 4672 10001224 2 API calls 4650->4672 4739 10001215 GlobalAlloc 4650->4739 4654 10002062 4651->4654 4655 1000204d LoadLibraryA 4651->4655 4652->4658 4653->4650 4740 100015a4 GetProcAddress 4654->4740 4655->4654 4655->4656 4656->4603 4657->4656 4736 10001224 4657->4736 4658->4650 4660 100020b3 4660->4656 4662 100020c0 lstrlenA 4660->4662 4661->4656 4666 10001fbe lstrcpyA 4661->4666 4741 100015a4 GetProcAddress 4662->4741 4666->4656 4667->4650 4734 10001534 GlobalSize GlobalAlloc 4667->4734 4668->4650 4669 10002074 4669->4660 4673 1000209d GetProcAddress 4669->4673 4670 100020d9 4670->4656 4672->4650 4673->4660 4682 10002212 4674->4682 4676 10002347 GlobalFree 4677 10001712 4676->4677 4676->4682 4677->4613 4677->4614 4677->4626 4678 100022bb GlobalAlloc MultiByteToWideChar 4680 100022e5 GlobalAlloc CLSIDFromString GlobalFree 4678->4680 4681 10002306 4678->4681 4679 10001224 GlobalAlloc lstrcpynA 4679->4682 4680->4676 4681->4676 4747 1000251b 4681->4747 4682->4676 4682->4678 4682->4679 4682->4681 4743 100012ad 4682->4743 4687 100027f6 4684->4687 4685 1000289b VirtualAlloc 4686 100028b9 4685->4686 4688 100029b5 4686->4688 4689 100029aa GetLastError 4686->4689 4687->4685 4688->4626 4689->4688 4691 100021c0 4690->4691 4692 1000170b 4690->4692 4691->4692 4693 100021d2 GlobalAlloc 4691->4693 4692->4606 4693->4691 4698 100025a3 4694->4698 4695 100025f4 GlobalAlloc 4699 10002616 4695->4699 4696 10002607 4697 1000260c GlobalSize 4696->4697 4696->4699 4697->4699 4698->4695 4698->4696 4699->4631 4701 10002aaa 4700->4701 4702 10002aea GlobalFree 4701->4702 4750 10001215 GlobalAlloc 4703->4750 4705 10002438 lstrcpynA 4712 100023e4 4705->4712 4706 10002449 StringFromGUID2 WideCharToMultiByte 4706->4712 4707 1000246d WideCharToMultiByte 4707->4712 4708 100024b2 GlobalFree 4708->4712 4709 1000248e wsprintfA 4709->4712 4710 100024ec GlobalFree 4710->4619 4711 10001266 2 API calls 4711->4712 4712->4705 4712->4706 4712->4707 4712->4708 4712->4709 4712->4710 4712->4711 4751 100012d1 4712->4751 4755 10001215 GlobalAlloc 4714->4755 4716 1000155f 4717 1000156c lstrcpyA 4716->4717 4719 10001586 4716->4719 4720 100015a0 4717->4720 4719->4720 4721 1000158b wsprintfA 4719->4721 4722 10001266 4720->4722 4721->4720 4723 100012a8 GlobalFree 4722->4723 4724 1000126f GlobalAlloc lstrcpynA 4722->4724 4723->4629 4724->4723 4726 100023ac 4725->4726 4728 100017c5 4725->4728 4727 100023c5 GlobalFree 4726->4727 4726->4728 4727->4726 4728->4638 4728->4639 4730 10001266 2 API calls 4729->4730 4731 10001503 4730->4731 4731->4641 4732->4644 4733->4650 4735 10001552 4734->4735 4735->4667 4742 10001215 GlobalAlloc 4736->4742 4738 10001233 lstrcpynA 4738->4656 4739->4650 4740->4669 4741->4670 4742->4738 4744 100012b4 4743->4744 4745 10001224 2 API calls 4744->4745 4746 100012cf 4745->4746 4746->4682 4748 10002529 VirtualAlloc 4747->4748 4749 1000257f 4747->4749 4748->4749 4749->4681 4750->4712 4752 100012f9 4751->4752 4753 100012da 4751->4753 4752->4712 4753->4752 4754 100012e0 lstrcpyA 4753->4754 4754->4752 4755->4716 5032 1000103d 5033 1000101b 5 API calls 5032->5033 5034 10001056 5033->5034 5035 4018fd 5036 401934 5035->5036 5037 402ac1 17 API calls 5036->5037 5038 401939 5037->5038 5039 40572d 67 API calls 5038->5039 5040 401942 5039->5040 5041 40257d 5042 402582 5041->5042 5043 402596 5041->5043 5044 402a9f 17 API calls 5042->5044 5045 402ac1 17 API calls 5043->5045 5047 40258b 5044->5047 5046 40259d lstrlenA 5045->5046 5046->5047 5048 4025bf 5047->5048 5049 405ba5 WriteFile 5047->5049 5049->5048 5050 100029bf 5051 100029d7 5050->5051 5052 10001534 2 API calls 5051->5052 5053 100029f2 5052->5053 5054 401000 5055 401037 BeginPaint GetClientRect 5054->5055 5056 40100c DefWindowProcA 5054->5056 5058 4010f3 5055->5058 5059 401179 5056->5059 5060 401073 CreateBrushIndirect FillRect DeleteObject 5058->5060 5061 4010fc 5058->5061 5060->5058 5062 401102 CreateFontIndirectA 5061->5062 5063 401167 EndPaint 5061->5063 5062->5063 5064 401112 6 API calls 5062->5064 5063->5059 5064->5063 5065 405000 5066 405010 5065->5066 5067 405024 5065->5067 5068 405016 5066->5068 5077 40506d 5066->5077 5069 40502c IsWindowVisible 5067->5069 5073 405043 5067->5073 5071 404072 SendMessageA 5068->5071 5072 405039 5069->5072 5069->5077 5070 405072 CallWindowProcA 5074 405020 5070->5074 5071->5074 5078 404957 SendMessageA 5072->5078 5073->5070 5083 4049d7 5073->5083 5077->5070 5079 4049b6 SendMessageA 5078->5079 5080 40497a GetMessagePos ScreenToClient SendMessageA 5078->5080 5082 4049ae 5079->5082 5081 4049b3 5080->5081 5080->5082 5081->5079 5082->5073 5092 405f65 lstrcpynA 5083->5092 5085 4049ea 5093 405ec3 wsprintfA 5085->5093 5087 4049f4 5088 40140b 2 API calls 5087->5088 5089 4049fd 5088->5089 5094 405f65 lstrcpynA 5089->5094 5091 404a04 5091->5077 5092->5085 5093->5087 5094->5091 5095 401900 5096 402ac1 17 API calls 5095->5096 5097 401907 5096->5097 5098 405681 MessageBoxIndirectA 5097->5098 5099 401910 5098->5099 3699 402682 3700 402689 3699->3700 3706 4028fe 3699->3706 3707 402a9f 3700->3707 3702 402690 3703 40269f SetFilePointer 3702->3703 3704 4026af 3703->3704 3703->3706 3710 405ec3 wsprintfA 3704->3710 3711 405f87 3707->3711 3709 402ab4 3709->3702 3710->3706 3725 405f94 3711->3725 3712 4061b6 3713 4061cb 3712->3713 3744 405f65 lstrcpynA 3712->3744 3713->3709 3715 406190 lstrlenA 3715->3725 3717 405f87 10 API calls 3717->3715 3720 4060ac GetSystemDirectoryA 3720->3725 3721 4060bf GetWindowsDirectoryA 3721->3725 3723 405f87 10 API calls 3723->3725 3724 406139 lstrcatA 3724->3725 3725->3712 3725->3715 3725->3717 3725->3720 3725->3721 3725->3723 3725->3724 3726 4060f3 SHGetSpecialFolderLocation 3725->3726 3728 405e4c 3725->3728 3733 4061cf 3725->3733 3742 405ec3 wsprintfA 3725->3742 3743 405f65 lstrcpynA 3725->3743 3726->3725 3727 40610b SHGetPathFromIDListA CoTaskMemFree 3726->3727 3727->3725 3745 405deb 3728->3745 3731 405e80 RegQueryValueExA RegCloseKey 3732 405eaf 3731->3732 3732->3725 3739 4061db 3733->3739 3734 406243 3735 406247 CharPrevA 3734->3735 3737 406262 3734->3737 3735->3734 3736 406238 CharNextA 3736->3734 3736->3739 3737->3725 3739->3734 3739->3736 3740 406226 CharNextA 3739->3740 3741 406233 CharNextA 3739->3741 3749 405928 3739->3749 3740->3739 3741->3736 3742->3725 3743->3725 3744->3713 3746 405dfa 3745->3746 3747 405e03 RegOpenKeyExA 3746->3747 3748 405dfe 3746->3748 3747->3748 3748->3731 3748->3732 3750 40592e 3749->3750 3751 405941 3750->3751 3752 405934 CharNextA 3750->3752 3751->3739 3752->3750 5100 401502 5101 40150a 5100->5101 5103 40151d 5100->5103 5102 402a9f 17 API calls 5101->5102 5102->5103 3765 401c04 3766 402a9f 17 API calls 3765->3766 3767 401c0b 3766->3767 3768 402a9f 17 API calls 3767->3768 3769 401c18 3768->3769 3770 401c2d 3769->3770 3771 402ac1 17 API calls 3769->3771 3772 401c3d 3770->3772 3775 402ac1 17 API calls 3770->3775 3771->3770 3773 401c94 3772->3773 3774 401c48 3772->3774 3787 402ac1 3773->3787 3776 402a9f 17 API calls 3774->3776 3775->3772 3778 401c4d 3776->3778 3780 402a9f 17 API calls 3778->3780 3782 401c59 3780->3782 3781 402ac1 17 API calls 3783 401ca2 FindWindowExA 3781->3783 3784 401c84 SendMessageA 3782->3784 3785 401c66 SendMessageTimeoutA 3782->3785 3786 401cc0 3783->3786 3784->3786 3785->3786 3788 402acd 3787->3788 3789 405f87 17 API calls 3788->3789 3790 402aee 3789->3790 3791 401c99 3790->3791 3792 4061cf 5 API calls 3790->3792 3791->3781 3792->3791 5104 404a09 GetDlgItem GetDlgItem 5105 404a5b 7 API calls 5104->5105 5112 404c73 5104->5112 5106 404af1 SendMessageA 5105->5106 5107 404afe DeleteObject 5105->5107 5106->5107 5108 404b07 5107->5108 5109 404b3e 5108->5109 5111 405f87 17 API calls 5108->5111 5113 404026 18 API calls 5109->5113 5110 404e03 5116 404e15 5110->5116 5117 404e0d SendMessageA 5110->5117 5118 404b20 SendMessageA SendMessageA 5111->5118 5115 404d57 5112->5115 5123 404957 5 API calls 5112->5123 5137 404ce4 5112->5137 5114 404b52 5113->5114 5119 404026 18 API calls 5114->5119 5115->5110 5120 404db0 SendMessageA 5115->5120 5144 404c66 5115->5144 5126 404e27 ImageList_Destroy 5116->5126 5127 404e2e 5116->5127 5140 404e3e 5116->5140 5117->5116 5118->5108 5138 404b60 5119->5138 5124 404dc5 SendMessageA 5120->5124 5120->5144 5121 40408d 8 API calls 5125 404ff9 5121->5125 5122 404d49 SendMessageA 5122->5115 5123->5137 5130 404dd8 5124->5130 5126->5127 5128 404e37 GlobalFree 5127->5128 5127->5140 5128->5140 5129 404c34 GetWindowLongA SetWindowLongA 5133 404c4d 5129->5133 5141 404de9 SendMessageA 5130->5141 5131 404fad 5132 404fbf ShowWindow GetDlgItem ShowWindow 5131->5132 5131->5144 5132->5144 5134 404c53 ShowWindow 5133->5134 5135 404c6b 5133->5135 5155 40405b SendMessageA 5134->5155 5156 40405b SendMessageA 5135->5156 5137->5115 5137->5122 5138->5129 5139 404baf SendMessageA 5138->5139 5142 404c2e 5138->5142 5145 404beb SendMessageA 5138->5145 5146 404bfc SendMessageA 5138->5146 5139->5138 5140->5131 5147 4049d7 4 API calls 5140->5147 5151 404e79 5140->5151 5141->5110 5142->5129 5142->5133 5144->5121 5145->5138 5146->5138 5147->5151 5148 404f83 InvalidateRect 5148->5131 5149 404f99 5148->5149 5157 404912 5149->5157 5150 404ea7 SendMessageA 5154 404ebd 5150->5154 5151->5150 5151->5154 5153 404f31 SendMessageA SendMessageA 5153->5154 5154->5148 5154->5153 5155->5144 5156->5112 5160 40484d 5157->5160 5159 404927 5159->5131 5161 404863 5160->5161 5162 405f87 17 API calls 5161->5162 5163 4048c7 5162->5163 5164 405f87 17 API calls 5163->5164 5165 4048d2 5164->5165 5166 405f87 17 API calls 5165->5166 5167 4048e8 lstrlenA wsprintfA SetDlgItemTextA 5166->5167 5167->5159 5168 401490 5169 40508c 24 API calls 5168->5169 5170 401497 5169->5170 5171 401d95 GetDC 5172 402a9f 17 API calls 5171->5172 5173 401da7 GetDeviceCaps MulDiv ReleaseDC 5172->5173 5174 402a9f 17 API calls 5173->5174 5175 401dd8 5174->5175 5176 405f87 17 API calls 5175->5176 5177 401e15 CreateFontIndirectA 5176->5177 5178 402577 5177->5178 5179 404496 5180 4044c2 5179->5180 5181 4044d3 5179->5181 5240 405665 GetDlgItemTextA 5180->5240 5182 4044df GetDlgItem 5181->5182 5189 40453e 5181->5189 5185 4044f3 5182->5185 5184 4044cd 5187 4061cf 5 API calls 5184->5187 5188 404507 SetWindowTextA 5185->5188 5192 405996 4 API calls 5185->5192 5186 404622 5237 4047cc 5186->5237 5242 405665 GetDlgItemTextA 5186->5242 5187->5181 5193 404026 18 API calls 5188->5193 5189->5186 5194 405f87 17 API calls 5189->5194 5189->5237 5191 40408d 8 API calls 5196 4047e0 5191->5196 5197 4044fd 5192->5197 5198 404523 5193->5198 5199 4045b2 SHBrowseForFolderA 5194->5199 5195 404652 5200 4059eb 18 API calls 5195->5200 5197->5188 5204 4058fd 3 API calls 5197->5204 5201 404026 18 API calls 5198->5201 5199->5186 5202 4045ca CoTaskMemFree 5199->5202 5203 404658 5200->5203 5205 404531 5201->5205 5206 4058fd 3 API calls 5202->5206 5243 405f65 lstrcpynA 5203->5243 5204->5188 5241 40405b SendMessageA 5205->5241 5208 4045d7 5206->5208 5211 40460e SetDlgItemTextA 5208->5211 5215 405f87 17 API calls 5208->5215 5210 404537 5213 4062fd 5 API calls 5210->5213 5211->5186 5212 40466f 5214 4062fd 5 API calls 5212->5214 5213->5189 5222 404676 5214->5222 5216 4045f6 lstrcmpiA 5215->5216 5216->5211 5218 404607 lstrcatA 5216->5218 5217 4046b2 5244 405f65 lstrcpynA 5217->5244 5218->5211 5220 4046b9 5221 405996 4 API calls 5220->5221 5223 4046bf GetDiskFreeSpaceA 5221->5223 5222->5217 5226 405944 2 API calls 5222->5226 5227 40470a 5222->5227 5225 4046e3 MulDiv 5223->5225 5223->5227 5225->5227 5226->5222 5228 404912 20 API calls 5227->5228 5238 40477b 5227->5238 5230 404768 5228->5230 5229 40479e 5245 404048 KiUserCallbackDispatcher 5229->5245 5232 40477d SetDlgItemTextA 5230->5232 5233 40476d 5230->5233 5231 40140b 2 API calls 5231->5229 5232->5238 5235 40484d 20 API calls 5233->5235 5235->5238 5236 4047ba 5236->5237 5239 4043ef SendMessageA 5236->5239 5237->5191 5238->5229 5238->5231 5239->5237 5240->5184 5241->5210 5242->5195 5243->5212 5244->5220 5245->5236 5246 10001058 5248 10001074 5246->5248 5247 100010dc 5248->5247 5249 100014bb GlobalFree 5248->5249 5250 10001091 5248->5250 5249->5250 5251 100014bb GlobalFree 5250->5251 5252 100010a1 5251->5252 5253 100010b1 5252->5253 5254 100010a8 GlobalSize 5252->5254 5255 100010b5 GlobalAlloc 5253->5255 5256 100010c6 5253->5256 5254->5253 5257 100014e2 3 API calls 5255->5257 5258 100010d1 GlobalFree 5256->5258 5257->5256 5258->5247 5259 401d1a 5260 402a9f 17 API calls 5259->5260 5261 401d28 SetWindowLongA 5260->5261 5262 402951 5261->5262 4756 40159d 4757 402ac1 17 API calls 4756->4757 4758 4015a4 SetFileAttributesA 4757->4758 4759 4015b6 4758->4759 5268 40149d 5269 4014ab PostQuitMessage 5268->5269 5270 4022e1 5268->5270 5269->5270 5271 401a1e 5272 402ac1 17 API calls 5271->5272 5273 401a27 ExpandEnvironmentStringsA 5272->5273 5274 401a3b 5273->5274 5276 401a4e 5273->5276 5275 401a40 lstrcmpA 5274->5275 5274->5276 5275->5276 5277 40171f 5278 402ac1 17 API calls 5277->5278 5279 401726 SearchPathA 5278->5279 5280 401741 5279->5280 5281 100010e0 5282 1000110e 5281->5282 5283 100011c4 GlobalFree 5282->5283 5284 100012ad 2 API calls 5282->5284 5285 100011c3 5282->5285 5286 10001266 2 API calls 5282->5286 5287 10001155 GlobalAlloc 5282->5287 5288 100011ea GlobalFree 5282->5288 5289 100011b1 GlobalFree 5282->5289 5290 100012d1 lstrcpyA 5282->5290 5284->5282 5285->5283 5286->5289 5287->5282 5288->5282 5289->5282 5290->5282 5291 10002162 5292 100021c0 5291->5292 5293 100021f6 5291->5293 5292->5293 5294 100021d2 GlobalAlloc 5292->5294 5294->5292 3822 401e25 3823 402a9f 17 API calls 3822->3823 3824 401e2b 3823->3824 3825 402a9f 17 API calls 3824->3825 3826 401e37 3825->3826 3827 401e43 ShowWindow 3826->3827 3828 401e4e EnableWindow 3826->3828 3829 402951 3827->3829 3828->3829 5295 401f2b 5296 402ac1 17 API calls 5295->5296 5297 401f32 5296->5297 5298 406268 2 API calls 5297->5298 5299 401f38 5298->5299 5301 401f4a 5299->5301 5302 405ec3 wsprintfA 5299->5302 5302->5301 5303 40292c SendMessageA 5304 402951 5303->5304 5305 402946 InvalidateRect 5303->5305 5305->5304 5306 4026b4 5307 4026ba 5306->5307 5308 402951 5307->5308 5309 4026c2 FindClose 5307->5309 5309->5308 5310 402736 5311 402ac1 17 API calls 5310->5311 5312 402744 5311->5312 5313 40275a 5312->5313 5314 402ac1 17 API calls 5312->5314 5315 405ad9 2 API calls 5313->5315 5314->5313 5316 402760 5315->5316 5338 405afe GetFileAttributesA CreateFileA 5316->5338 5318 40276d 5319 402816 5318->5319 5320 402779 GlobalAlloc 5318->5320 5323 402831 5319->5323 5324 40281e DeleteFileA 5319->5324 5321 402792 5320->5321 5322 40280d CloseHandle 5320->5322 5339 4031a9 SetFilePointer 5321->5339 5322->5319 5324->5323 5326 402798 5327 403193 ReadFile 5326->5327 5328 4027a1 GlobalAlloc 5327->5328 5329 4027b1 5328->5329 5330 4027eb 5328->5330 5331 402f81 31 API calls 5329->5331 5332 405ba5 WriteFile 5330->5332 5337 4027be 5331->5337 5333 4027f7 GlobalFree 5332->5333 5334 402f81 31 API calls 5333->5334 5335 40280a 5334->5335 5335->5322 5336 4027e2 GlobalFree 5336->5330 5337->5336 5338->5318 5339->5326 5340 402837 5341 402a9f 17 API calls 5340->5341 5342 40283d 5341->5342 5343 402865 5342->5343 5344 40287c 5342->5344 5349 402716 5342->5349 5345 402879 5343->5345 5346 40286a 5343->5346 5347 402896 5344->5347 5348 402886 5344->5348 5355 405ec3 wsprintfA 5345->5355 5354 405f65 lstrcpynA 5346->5354 5351 405f87 17 API calls 5347->5351 5350 402a9f 17 API calls 5348->5350 5350->5349 5351->5349 5354->5349 5355->5349 5356 4014b7 5357 4014bd 5356->5357 5358 401389 2 API calls 5357->5358 5359 4014c5 5358->5359 5360 401b39 5361 402ac1 17 API calls 5360->5361 5362 401b40 5361->5362 5363 402a9f 17 API calls 5362->5363 5364 401b49 wsprintfA 5363->5364 5365 402951 5364->5365 5366 40413a lstrcpynA lstrlenA 5367 40233a 5368 402ac1 17 API calls 5367->5368 5369 40234b 5368->5369 5370 402ac1 17 API calls 5369->5370 5371 402354 5370->5371 5372 402ac1 17 API calls 5371->5372 5373 40235e GetPrivateProfileStringA 5372->5373 4556 4015bb 4557 402ac1 17 API calls 4556->4557 4558 4015c2 4557->4558 4559 405996 4 API calls 4558->4559 4571 4015ca 4559->4571 4560 401624 4562 401652 4560->4562 4563 401629 4560->4563 4561 405928 CharNextA 4561->4571 4565 401423 24 API calls 4562->4565 4575 401423 4563->4575 4572 40164a 4565->4572 4568 4055cf 2 API calls 4568->4571 4569 4055ec 5 API calls 4569->4571 4570 40163b SetCurrentDirectoryA 4570->4572 4571->4560 4571->4561 4571->4568 4571->4569 4573 40160c GetFileAttributesA 4571->4573 4574 405552 4 API calls 4571->4574 4573->4571 4574->4571 4576 40508c 24 API calls 4575->4576 4577 401431 4576->4577 4578 405f65 lstrcpynA 4577->4578 4578->4570 5374 4016bb 5375 402ac1 17 API calls 5374->5375 5376 4016c1 GetFullPathNameA 5375->5376 5377 4016d8 5376->5377 5378 4016f9 5376->5378 5377->5378 5381 406268 2 API calls 5377->5381 5379 402951 5378->5379 5380 40170d GetShortPathNameA 5378->5380 5380->5379 5382 4016e9 5381->5382 5382->5378 5384 405f65 lstrcpynA 5382->5384 5384->5378 5385 401d3b GetDlgItem GetClientRect 5386 402ac1 17 API calls 5385->5386 5387 401d6b LoadImageA SendMessageA 5386->5387 5388 402951 5387->5388 5389 401d89 DeleteObject 5387->5389 5389->5388

                                                    Executed Functions

                                                    Function 004031F1 Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368stringcomfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 4031f1-403230 SetErrorMode GetVersion 1 403232-40323a call 4062fd 0->1 2 403243 0->2 1->2 8 40323c 1->8 3 403248-40325b call 40628f lstrlenA 2->3 9 40325d-403279 call 4062fd * 3 3->9 8->2 16 40328a-4032ea #17 OleInitialize SHGetFileInfoA call 405f65 GetCommandLineA call 405f65 GetModuleHandleA 9->16 17 40327b-403281 9->17 24 4032f6-40330b call 405928 CharNextA 16->24 25 4032ec-4032f1 16->25 17->16 22 403283 17->22 22->16 28 4033d0-4033d4 24->28 25->24 29 403310-403313 28->29 30 4033da 28->30 31 403315-403319 29->31 32 40331b-403323 29->32 33 4033ed-403407 GetTempPathA call 4031c0 30->33 31->31 31->32 35 403325-403326 32->35 36 40332b-40332e 32->36 40 403409-403427 GetWindowsDirectoryA lstrcatA call 4031c0 33->40 41 40345f-403479 DeleteFileA call 402d48 33->41 35->36 38 4033c0-4033cd call 405928 36->38 39 403334-403338 36->39 38->28 57 4033cf 38->57 43 403350-40337d 39->43 44 40333a-403340 39->44 40->41 58 403429-403459 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4031c0 40->58 59 40350d-40351d call 4036db OleUninitialize 41->59 60 40347f-403485 41->60 48 403390-4033be 43->48 49 40337f-403385 43->49 45 403342-403344 44->45 46 403346 44->46 45->43 45->46 46->43 48->38 55 4033dc-4033e8 call 405f65 48->55 53 403387-403389 49->53 54 40338b 49->54 53->48 53->54 54->48 55->33 57->28 58->41 58->59 70 403641-403647 59->70 71 403523-403533 call 405681 ExitProcess 59->71 63 403487-403492 call 405928 60->63 64 4034fd-403504 call 4037b5 60->64 77 403494-4034bd 63->77 78 4034c8-4034d2 63->78 72 403509 64->72 75 4036c3-4036cb 70->75 76 403649-403662 GetCurrentProcess OpenProcessToken 70->76 72->59 80 4036d1-4036d5 ExitProcess 75->80 81 4036cd 75->81 85 403694-4036a2 call 4062fd 76->85 86 403664-40368e LookupPrivilegeValueA AdjustTokenPrivileges 76->86 79 4034bf-4034c1 77->79 83 4034d4-4034e1 call 4059eb 78->83 84 403539-40354d call 4055ec lstrcatA 78->84 79->78 87 4034c3-4034c6 79->87 81->80 83->59 94 4034e3-4034f9 call 405f65 * 2 83->94 95 40355a-403574 lstrcatA lstrcmpiA 84->95 96 40354f-403555 lstrcatA 84->96 97 4036b0-4036ba ExitWindowsEx 85->97 98 4036a4-4036ae 85->98 86->85 87->78 87->79 94->64 95->59 100 403576-403579 95->100 96->95 97->75 101 4036bc-4036be call 40140b 97->101 98->97 98->101 104 403582 call 4055cf 100->104 105 40357b-403580 call 405552 100->105 101->75 112 403587-403594 SetCurrentDirectoryA 104->112 105->112 113 4035a1-4035c9 call 405f65 112->113 114 403596-40359c call 405f65 112->114 118 4035cf-4035eb call 405f87 DeleteFileA 113->118 114->113 121 40362c-403633 118->121 122 4035ed-4035fd CopyFileA 118->122 121->118 123 403635-40363c call 405d44 121->123 122->121 124 4035ff-403618 call 405d44 call 405f87 call 405604 122->124 123->59 132 40361d-40361f 124->132 132->121 133 403621-403628 CloseHandle 132->133 133->121
                                                    APIs
                                                    • SetErrorMode.KERNELBASE ref: 00403216
                                                    • GetVersion.KERNEL32 ref: 0040321C
                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040324F
                                                    • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040328B
                                                    • OleInitialize.OLE32(00000000), ref: 00403292
                                                    • SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032AE
                                                    • GetCommandLineA.KERNEL32(benevolently Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004032C3
                                                    • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\asXlZG3aW6.exe",00000000,?,00000006,00000008,0000000A), ref: 004032D6
                                                    • CharNextA.USER32(00000000,"C:\Users\user\Desktop\asXlZG3aW6.exe",00000020,?,00000006,00000008,0000000A), ref: 00403301
                                                    • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033FE
                                                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 0040340F
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040341B
                                                    • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040342F
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403437
                                                    • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403448
                                                    • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403450
                                                    • DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403464
                                                      • Part of subcall function 004062FD: GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
                                                      • Part of subcall function 004062FD: GetProcAddress.KERNEL32(00000000,?), ref: 0040632A
                                                      • Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,benevolently Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72
                                                      • Part of subcall function 004037B5: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243,1033,benevolently Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,benevolently Setup: Installing,00000000,00000002,76F93410), ref: 004038A5
                                                      • Part of subcall function 004037B5: lstrcmpiA.KERNEL32(?,.exe), ref: 004038B8
                                                      • Part of subcall function 004037B5: GetFileAttributesA.KERNEL32(Call), ref: 004038C3
                                                      • Part of subcall function 004037B5: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243), ref: 0040390C
                                                      • Part of subcall function 004037B5: RegisterClassA.USER32(0042EBA0), ref: 00403949
                                                      • Part of subcall function 004036DB: CloseHandle.KERNEL32(000002CC,00403512,?,?,00000006,00000008,0000000A), ref: 004036E6
                                                    • OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 00403512
                                                    • ExitProcess.KERNEL32 ref: 00403533
                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403650
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403657
                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040366F
                                                    • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 0040368E
                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 004036B2
                                                    • ExitProcess.KERNEL32 ref: 004036D5
                                                      • Part of subcall function 00405681: MessageBoxIndirectA.USER32(0040A218), ref: 004056DC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Process$ExitFileHandle$EnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpilstrcpyn
                                                    • String ID: "$"C:\Users\user\Desktop\asXlZG3aW6.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243$C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes$C:\Users\user\Desktop$C:\Users\user\Desktop\asXlZG3aW6.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$benevolently Setup$~nsu
                                                    • API String ID: 3855923921-3632263227
                                                    • Opcode ID: a62ce931ca2efa7a527a2a800e7e0040844f4c2c3ebfe2fb719c727999237710
                                                    • Instruction ID: 41c275c355797b12fd9b138c60a2ad170ddd3a1f93bd6a9867a2704463122372
                                                    • Opcode Fuzzy Hash: a62ce931ca2efa7a527a2a800e7e0040844f4c2c3ebfe2fb719c727999237710
                                                    • Instruction Fuzzy Hash: 0DC1E470604741AAD7216F759E49B2F3EACAF45706F44053FF581B61E2CB7C8A098B2E
                                                    Function 004051CA Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282windowclipboardmemoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 134 4051ca-4051e6 135 405375-40537b 134->135 136 4051ec-4052b3 GetDlgItem * 3 call 40405b call 40492a GetClientRect GetSystemMetrics SendMessageA * 2 134->136 138 4053a5-4053b1 135->138 139 40537d-40539f GetDlgItem CreateThread CloseHandle 135->139 158 4052d1-4052d4 136->158 159 4052b5-4052cf SendMessageA * 2 136->159 141 4053d3-4053d9 138->141 142 4053b3-4053b9 138->142 139->138 143 4053db-4053e1 141->143 144 40542e-405431 141->144 146 4053f4-4053fb call 40408d 142->146 147 4053bb-4053ce ShowWindow * 2 call 40405b 142->147 148 4053e3-4053ef call 403fff 143->148 149 405407-405417 ShowWindow 143->149 144->146 152 405433-405439 144->152 155 405400-405404 146->155 147->141 148->146 156 405427-405429 call 403fff 149->156 157 405419-405422 call 40508c 149->157 152->146 160 40543b-40544e SendMessageA 152->160 156->144 157->156 163 4052e4-4052fb call 404026 158->163 164 4052d6-4052e2 SendMessageA 158->164 159->158 165 405454-405480 CreatePopupMenu call 405f87 AppendMenuA 160->165 166 40554b-40554d 160->166 173 405331-405352 GetDlgItem SendMessageA 163->173 174 4052fd-405311 ShowWindow 163->174 164->163 171 405482-405492 GetWindowRect 165->171 172 405495-4054ab TrackPopupMenu 165->172 166->155 171->172 172->166 175 4054b1-4054cb 172->175 173->166 178 405358-405370 SendMessageA * 2 173->178 176 405320 174->176 177 405313-40531e ShowWindow 174->177 179 4054d0-4054eb SendMessageA 175->179 180 405326-40532c call 40405b 176->180 177->180 178->166 179->179 181 4054ed-40550d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 179->181 180->173 183 40550f-40552f SendMessageA 181->183 183->183 184 405531-405545 GlobalUnlock SetClipboardData CloseClipboard 183->184 184->166
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000403), ref: 00405229
                                                    • GetDlgItem.USER32(?,000003EE), ref: 00405238
                                                    • GetClientRect.USER32(?,?), ref: 00405275
                                                    • GetSystemMetrics.USER32(00000002), ref: 0040527C
                                                    • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040529D
                                                    • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052AE
                                                    • SendMessageA.USER32(?,00001001,00000000,?), ref: 004052C1
                                                    • SendMessageA.USER32(?,00001026,00000000,?), ref: 004052CF
                                                    • SendMessageA.USER32(?,00001024,00000000,?), ref: 004052E2
                                                    • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405304
                                                    • ShowWindow.USER32(?,00000008), ref: 00405318
                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405339
                                                    • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405349
                                                    • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405362
                                                    • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040536E
                                                    • GetDlgItem.USER32(?,000003F8), ref: 00405247
                                                      • Part of subcall function 0040405B: SendMessageA.USER32(00000028,?,00000001,00403E8B), ref: 00404069
                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040538A
                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_0000515E,00000000), ref: 00405398
                                                    • CloseHandle.KERNELBASE(00000000), ref: 0040539F
                                                    • ShowWindow.USER32(00000000), ref: 004053C2
                                                    • ShowWindow.USER32(?,00000008), ref: 004053C9
                                                    • ShowWindow.USER32(00000008), ref: 0040540F
                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405443
                                                    • CreatePopupMenu.USER32 ref: 00405454
                                                    • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405469
                                                    • GetWindowRect.USER32(?,000000FF), ref: 00405489
                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054A2
                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054DE
                                                    • OpenClipboard.USER32(00000000), ref: 004054EE
                                                    • EmptyClipboard.USER32 ref: 004054F4
                                                    • GlobalAlloc.KERNEL32(00000042,?), ref: 004054FD
                                                    • GlobalLock.KERNEL32(00000000), ref: 00405507
                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040551B
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405534
                                                    • SetClipboardData.USER32(00000001,00000000), ref: 0040553F
                                                    • CloseClipboard.USER32 ref: 00405545
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                    • String ID: 4y~$benevolently Setup: Installing
                                                    • API String ID: 590372296-1604112544
                                                    • Opcode ID: a43d3a3d4153c9e144370ebfb7e1485c24af32df1aebf0fefb0dd59f9748b4bf
                                                    • Instruction ID: ba98567820032f63b871bd6861c5d6e43a3521a54ecc658c1b1e5281d96d67ec
                                                    • Opcode Fuzzy Hash: a43d3a3d4153c9e144370ebfb7e1485c24af32df1aebf0fefb0dd59f9748b4bf
                                                    • Instruction Fuzzy Hash: D6A14971900608BFDF11AF61DE89AAF7F79EB04354F40403AFA41B61A0CB755E519F68
                                                    Function 0040572D Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 493 40572d-405753 call 4059eb 496 405755-405767 DeleteFileA 493->496 497 40576c-405773 493->497 498 4058f6-4058fa 496->498 499 405775-405777 497->499 500 405786-405796 call 405f65 497->500 501 4058a4-4058a9 499->501 502 40577d-405780 499->502 506 4057a5-4057a6 call 405944 500->506 507 405798-4057a3 lstrcatA 500->507 501->498 505 4058ab-4058ae 501->505 502->500 502->501 508 4058b0-4058b6 505->508 509 4058b8-4058c0 call 406268 505->509 511 4057ab-4057ae 506->511 507->511 508->498 509->498 516 4058c2-4058d6 call 4058fd call 4056e5 509->516 514 4057b0-4057b7 511->514 515 4057b9-4057bf lstrcatA 511->515 514->515 517 4057c4-4057e2 lstrlenA FindFirstFileA 514->517 515->517 532 4058d8-4058db 516->532 533 4058ee-4058f1 call 40508c 516->533 519 4057e8-4057ff call 405928 517->519 520 40589a-40589e 517->520 526 405801-405805 519->526 527 40580a-40580d 519->527 520->501 522 4058a0 520->522 522->501 526->527 529 405807 526->529 530 405820-40582e call 405f65 527->530 531 40580f-405814 527->531 529->527 543 405830-405838 530->543 544 405845-405850 call 4056e5 530->544 534 405816-405818 531->534 535 405879-40588b FindNextFileA 531->535 532->508 537 4058dd-4058ec call 40508c call 405d44 532->537 533->498 534->530 539 40581a-40581e 534->539 535->519 541 405891-405894 FindClose 535->541 537->498 539->530 539->535 541->520 543->535 546 40583a-405843 call 40572d 543->546 552 405871-405874 call 40508c 544->552 553 405852-405855 544->553 546->535 552->535 555 405857-405867 call 40508c call 405d44 553->555 556 405869-40586f 553->556 555->535 556->535
                                                    APIs
                                                    • DeleteFileA.KERNELBASE(?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405756
                                                    • lstrcatA.KERNEL32(0042B878,\*.*,0042B878,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040579E
                                                    • lstrcatA.KERNEL32(?,0040A014,?,0042B878,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057BF
                                                    • lstrlenA.KERNEL32(?,?,0040A014,?,0042B878,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057C5
                                                    • FindFirstFileA.KERNEL32(0042B878,?,?,?,0040A014,?,0042B878,?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057D6
                                                    • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405883
                                                    • FindClose.KERNEL32(00000000), ref: 00405894
                                                    Strings
                                                    • \*.*, xrefs: 00405798
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 0040573A
                                                    • "C:\Users\user\Desktop\asXlZG3aW6.exe", xrefs: 0040572D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                    • String ID: "C:\Users\user\Desktop\asXlZG3aW6.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                    • API String ID: 2035342205-3874276418
                                                    • Opcode ID: a11e03e59e5fd35a7b3b0442a482093daeb4251b1d727e15f9c9cc7460ea2170
                                                    • Instruction ID: 2a0351abb2716448ee460da7bfccfa5d3c7c3698b554042fcfc8e424752a7a40
                                                    • Opcode Fuzzy Hash: a11e03e59e5fd35a7b3b0442a482093daeb4251b1d727e15f9c9cc7460ea2170
                                                    • Instruction Fuzzy Hash: 2551B132900A04AAEF217B268C45FBF7A78DF42754F14817BF841B61D1D73C8952DEA9
                                                    Function 00406268 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileA.KERNELBASE(76F93410,0042C0C0,0042BC78,00405A2E,0042BC78,0042BC78,00000000,0042BC78,0042BC78,76F93410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,76F93410,C:\Users\user\AppData\Local\Temp\), ref: 00406273
                                                    • FindClose.KERNELBASE(00000000), ref: 0040627F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
                                                    • Instruction ID: e0279db6a2f9a876ecb4b02bc738002a428a13ad585e0dc9357aaf1afb57e826
                                                    • Opcode Fuzzy Hash: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
                                                    • Instruction Fuzzy Hash: 9DD012365060209FC25027786D0C85B7A589F053317118B7FF8AAF21E0C7348CA386DC
                                                    Function 00403B52 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 346windowstringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 185 403b52-403b64 186 403ca5-403cb4 185->186 187 403b6a-403b70 185->187 189 403d03-403d18 186->189 190 403cb6-403cfe GetDlgItem * 2 call 404026 SetClassLongA call 40140b 186->190 187->186 188 403b76-403b7f 187->188 191 403b81-403b8e SetWindowPos 188->191 192 403b94-403b97 188->192 194 403d58-403d5d call 404072 189->194 195 403d1a-403d1d 189->195 190->189 191->192 197 403bb1-403bb7 192->197 198 403b99-403bab ShowWindow 192->198 203 403d62-403d7d 194->203 200 403d50-403d52 195->200 201 403d1f-403d2a call 401389 195->201 204 403bd3-403bd6 197->204 205 403bb9-403bce DestroyWindow 197->205 198->197 200->194 202 403ff3 200->202 201->200 222 403d2c-403d4b SendMessageA 201->222 210 403ff5-403ffc 202->210 208 403d86-403d8c 203->208 209 403d7f-403d81 call 40140b 203->209 213 403bd8-403be4 SetWindowLongA 204->213 214 403be9-403bef 204->214 211 403fd0-403fd6 205->211 218 403fb1-403fca DestroyWindow EndDialog 208->218 219 403d92-403d9d 208->219 209->208 211->202 217 403fd8-403fde 211->217 213->210 220 403c92-403ca0 call 40408d 214->220 221 403bf5-403c06 GetDlgItem 214->221 217->202 224 403fe0-403fe9 ShowWindow 217->224 218->211 219->218 225 403da3-403df0 call 405f87 call 404026 * 3 GetDlgItem 219->225 220->210 226 403c25-403c28 221->226 227 403c08-403c1f SendMessageA IsWindowEnabled 221->227 222->210 224->202 255 403df2-403df7 225->255 256 403dfa-403e36 ShowWindow KiUserCallbackDispatcher call 404048 EnableWindow 225->256 230 403c2a-403c2b 226->230 231 403c2d-403c30 226->231 227->202 227->226 232 403c5b-403c60 call 403fff 230->232 233 403c32-403c38 231->233 234 403c3e-403c43 231->234 232->220 236 403c79-403c8c SendMessageA 233->236 237 403c3a-403c3c 233->237 234->236 238 403c45-403c4b 234->238 236->220 237->232 241 403c62-403c6b call 40140b 238->241 242 403c4d-403c53 call 40140b 238->242 241->220 252 403c6d-403c77 241->252 251 403c59 242->251 251->232 252->251 255->256 259 403e38-403e39 256->259 260 403e3b 256->260 261 403e3d-403e6b GetSystemMenu EnableMenuItem SendMessageA 259->261 260->261 262 403e80 261->262 263 403e6d-403e7e SendMessageA 261->263 264 403e86-403ec0 call 40405b call 403b33 call 405f65 lstrlenA call 405f87 SetWindowTextA call 401389 262->264 263->264 264->203 275 403ec6-403ec8 264->275 275->203 276 403ece-403ed2 275->276 277 403ef1-403f05 DestroyWindow 276->277 278 403ed4-403eda 276->278 277->211 280 403f0b-403f38 CreateDialogParamA 277->280 278->202 279 403ee0-403ee6 278->279 279->203 281 403eec 279->281 280->211 282 403f3e-403f95 call 404026 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 280->282 281->202 282->202 287 403f97-403faa ShowWindow call 404072 282->287 289 403faf 287->289 289->211
                                                    APIs
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B8E
                                                    • ShowWindow.USER32(?), ref: 00403BAB
                                                    • DestroyWindow.USER32 ref: 00403BBF
                                                    • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BDB
                                                    • GetDlgItem.USER32(?,?), ref: 00403BFC
                                                    • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C10
                                                    • IsWindowEnabled.USER32(00000000), ref: 00403C17
                                                    • GetDlgItem.USER32(?,00000001), ref: 00403CC5
                                                    • GetDlgItem.USER32(?,00000002), ref: 00403CCF
                                                    • SetClassLongA.USER32(?,000000F2,?), ref: 00403CE9
                                                    • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D3A
                                                    • GetDlgItem.USER32(?,00000003), ref: 00403DE0
                                                    • ShowWindow.USER32(00000000,?), ref: 00403E01
                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E13
                                                    • EnableWindow.USER32(?,?), ref: 00403E2E
                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E44
                                                    • EnableMenuItem.USER32(00000000), ref: 00403E4B
                                                    • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E63
                                                    • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E76
                                                    • lstrlenA.KERNEL32(benevolently Setup: Installing,?,benevolently Setup: Installing,00000000), ref: 00403EA0
                                                    • SetWindowTextA.USER32(?,benevolently Setup: Installing), ref: 00403EAF
                                                    • ShowWindow.USER32(?,0000000A), ref: 00403FE3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                    • String ID: 4y~$benevolently Setup: Installing
                                                    • API String ID: 3282139019-1604112544
                                                    • Opcode ID: aa8af9cc06094f93f58c9526d7c11b9f91f5042ecf31170c9ab7365bbcb87e59
                                                    • Instruction ID: 825bbfaa6b66e15a56cde4951677423d70b10f791e0768be12abaf391e468a8e
                                                    • Opcode Fuzzy Hash: aa8af9cc06094f93f58c9526d7c11b9f91f5042ecf31170c9ab7365bbcb87e59
                                                    • Instruction Fuzzy Hash: 80C19F71604205AFDB206F22EE45E2B3EBCFB4570AF40053EFA42B11E1CB7999429B1D
                                                    Function 004037B5 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 290 4037b5-4037cd call 4062fd 293 4037e1-403812 call 405e4c 290->293 294 4037cf-4037df call 405ec3 290->294 299 403814-403825 call 405e4c 293->299 300 40382a-403830 lstrcatA 293->300 303 403835-40385e call 403a7a call 4059eb 294->303 299->300 300->303 308 403864-403869 303->308 309 4038e5-4038ed call 4059eb 303->309 308->309 310 40386b-403883 call 405e4c 308->310 315 4038fb-403920 LoadImageA 309->315 316 4038ef-4038f6 call 405f87 309->316 314 403888-40388f 310->314 314->309 317 403891-403893 314->317 319 4039a1-4039a9 call 40140b 315->319 320 403922-403952 RegisterClassA 315->320 316->315 321 4038a4-4038b0 lstrlenA 317->321 322 403895-4038a2 call 405928 317->322 334 4039b3-4039be call 403a7a 319->334 335 4039ab-4039ae 319->335 323 403a70 320->323 324 403958-40399c SystemParametersInfoA CreateWindowExA 320->324 328 4038b2-4038c0 lstrcmpiA 321->328 329 4038d8-4038e0 call 4058fd call 405f65 321->329 322->321 327 403a72-403a79 323->327 324->319 328->329 333 4038c2-4038cc GetFileAttributesA 328->333 329->309 338 4038d2-4038d3 call 405944 333->338 339 4038ce-4038d0 333->339 343 4039c4-4039de ShowWindow call 40628f 334->343 344 403a47-403a48 call 40515e 334->344 335->327 338->329 339->329 339->338 351 4039e0-4039e5 call 40628f 343->351 352 4039ea-4039fc GetClassInfoA 343->352 347 403a4d-403a4f 344->347 349 403a51-403a57 347->349 350 403a69-403a6b call 40140b 347->350 349->335 353 403a5d-403a64 call 40140b 349->353 350->323 351->352 356 403a14-403a37 DialogBoxParamA call 40140b 352->356 357 4039fe-403a0e GetClassInfoA RegisterClassA 352->357 353->335 361 403a3c-403a45 call 403705 356->361 357->356 361->327
                                                    APIs
                                                      • Part of subcall function 004062FD: GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
                                                      • Part of subcall function 004062FD: GetProcAddress.KERNEL32(00000000,?), ref: 0040632A
                                                    • lstrcatA.KERNEL32(1033,benevolently Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,benevolently Setup: Installing,00000000,00000002,76F93410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\asXlZG3aW6.exe",00000000), ref: 00403830
                                                    • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243,1033,benevolently Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,benevolently Setup: Installing,00000000,00000002,76F93410), ref: 004038A5
                                                    • lstrcmpiA.KERNEL32(?,.exe), ref: 004038B8
                                                    • GetFileAttributesA.KERNEL32(Call), ref: 004038C3
                                                    • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243), ref: 0040390C
                                                      • Part of subcall function 00405EC3: wsprintfA.USER32 ref: 00405ED0
                                                    • RegisterClassA.USER32(0042EBA0), ref: 00403949
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403961
                                                    • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403996
                                                    • ShowWindow.USER32(00000005,00000000), ref: 004039CC
                                                    • GetClassInfoA.USER32(00000000,RichEdit20A,0042EBA0), ref: 004039F8
                                                    • GetClassInfoA.USER32(00000000,RichEdit,0042EBA0), ref: 00403A05
                                                    • RegisterClassA.USER32(0042EBA0), ref: 00403A0E
                                                    • DialogBoxParamA.USER32(?,00000000,00403B52,00000000), ref: 00403A2D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                    • String ID: "C:\Users\user\Desktop\asXlZG3aW6.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$benevolently Setup: Installing
                                                    • API String ID: 1975747703-1019390391
                                                    • Opcode ID: d1b3841e1ff9c87adbcfc9175fdeebf26df0ac974e3d7619a30b9a5d2f2d3a26
                                                    • Instruction ID: cf57693f3f88dc886a5042f17341946b18930627488d4c28d640959b633c26bb
                                                    • Opcode Fuzzy Hash: d1b3841e1ff9c87adbcfc9175fdeebf26df0ac974e3d7619a30b9a5d2f2d3a26
                                                    • Instruction Fuzzy Hash: 3E61D770240600AED620BB669D45F373EACEB44749F40447EF985B22E2DB7C9D029A2D
                                                    Function 00402D48 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 364 402d48-402d96 GetTickCount GetModuleFileNameA call 405afe 367 402da2-402dd0 call 405f65 call 405944 call 405f65 GetFileSize 364->367 368 402d98-402d9d 364->368 376 402dd6 367->376 377 402ebd-402ecb call 402ce4 367->377 369 402f7a-402f7e 368->369 378 402ddb-402df2 376->378 383 402f20-402f25 377->383 384 402ecd-402ed0 377->384 381 402df4 378->381 382 402df6-402dff call 403193 378->382 381->382 390 402e05-402e0c 382->390 391 402f27-402f2f call 402ce4 382->391 383->369 386 402ed2-402eea call 4031a9 call 403193 384->386 387 402ef4-402f1e GlobalAlloc call 4031a9 call 402f81 384->387 386->383 410 402eec-402ef2 386->410 387->383 415 402f31-402f42 387->415 394 402e88-402e8c 390->394 395 402e0e-402e22 call 405ab9 390->395 391->383 400 402e96-402e9c 394->400 401 402e8e-402e95 call 402ce4 394->401 395->400 413 402e24-402e2b 395->413 406 402eab-402eb5 400->406 407 402e9e-402ea8 call 4063b4 400->407 401->400 406->378 414 402ebb 406->414 407->406 410->383 410->387 413->400 419 402e2d-402e34 413->419 414->377 416 402f44 415->416 417 402f4a-402f4f 415->417 416->417 420 402f50-402f56 417->420 419->400 421 402e36-402e3d 419->421 420->420 422 402f58-402f73 SetFilePointer call 405ab9 420->422 421->400 423 402e3f-402e46 421->423 427 402f78 422->427 423->400 425 402e48-402e68 423->425 425->383 426 402e6e-402e72 425->426 428 402e74-402e78 426->428 429 402e7a-402e82 426->429 427->369 428->414 428->429 429->400 430 402e84-402e86 429->430 430->400
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 00402D59
                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\asXlZG3aW6.exe,00000400), ref: 00402D75
                                                      • Part of subcall function 00405AFE: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\asXlZG3aW6.exe,80000000,00000003), ref: 00405B02
                                                      • Part of subcall function 00405AFE: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24
                                                    • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\asXlZG3aW6.exe,C:\Users\user\Desktop\asXlZG3aW6.exe,80000000,00000003), ref: 00402DC1
                                                    Strings
                                                    • soft, xrefs: 00402E36
                                                    • C:\Users\user\Desktop\asXlZG3aW6.exe, xrefs: 00402D5F, 00402D6E, 00402D82, 00402DA2
                                                    • C:\Users\user\Desktop, xrefs: 00402DA3, 00402DA8, 00402DAE
                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F20
                                                    • Null, xrefs: 00402E3F
                                                    • Inst, xrefs: 00402E2D
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00402D4F
                                                    • Error launching installer, xrefs: 00402D98
                                                    • "C:\Users\user\Desktop\asXlZG3aW6.exe", xrefs: 00402D48
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                    • String ID: "C:\Users\user\Desktop\asXlZG3aW6.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\asXlZG3aW6.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                    • API String ID: 4283519449-2925266374
                                                    • Opcode ID: 7ea76b1eabee36cc462c4becf9ee5f087804ecb308710c36f18c8c35563ccf84
                                                    • Instruction ID: b7ea9236aecaa86e611592eb70b2ed5589fa10121b1bd9207fea2451aa196312
                                                    • Opcode Fuzzy Hash: 7ea76b1eabee36cc462c4becf9ee5f087804ecb308710c36f18c8c35563ccf84
                                                    • Instruction Fuzzy Hash: 9D51F431A00215ABDB20AF64DE89B9F7BB8FB14358F50413BE504B72D1C7B88D858B9C
                                                    Function 00405F87 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 431 405f87-405f92 432 405f94-405fa3 431->432 433 405fa5-405fbb 431->433 432->433 434 405fc1-405fcc 433->434 435 4061ac-4061b0 433->435 434->435 436 405fd2-405fd9 434->436 437 4061b6-4061c0 435->437 438 405fde-405fe8 435->438 436->435 440 4061c2-4061c6 call 405f65 437->440 441 4061cb-4061cc 437->441 438->437 439 405fee-405ff5 438->439 442 405ffb-40602f 439->442 443 40619f 439->443 440->441 445 406035-40603f 442->445 446 40614c-40614f 442->446 447 4061a1-4061a7 443->447 448 4061a9-4061ab 443->448 449 406041-406045 445->449 450 406059 445->450 451 406151-406154 446->451 452 40617f-406182 446->452 447->435 448->435 449->450 456 406047-40604b 449->456 453 406060-406067 450->453 457 406164-406170 call 405f65 451->457 458 406156-406162 call 405ec3 451->458 454 406190-40619d lstrlenA 452->454 455 406184-40618b call 405f87 452->455 459 406069-40606b 453->459 460 40606c-40606e 453->460 454->435 455->454 456->450 463 40604d-406051 456->463 468 406175-40617b 457->468 458->468 459->460 466 406070-406093 call 405e4c 460->466 467 4060a7-4060aa 460->467 463->450 469 406053-406057 463->469 479 406133-406137 466->479 480 406099-4060a2 call 405f87 466->480 472 4060ba-4060bd 467->472 473 4060ac-4060b8 GetSystemDirectoryA 467->473 468->454 471 40617d 468->471 469->453 475 406144-40614a call 4061cf 471->475 477 40612a-40612c 472->477 478 4060bf-4060cd GetWindowsDirectoryA 472->478 476 40612e-406131 473->476 475->454 476->475 476->479 477->476 481 4060cf-4060d9 477->481 478->477 479->475 484 406139-40613f lstrcatA 479->484 480->476 486 4060f3-406109 SHGetSpecialFolderLocation 481->486 487 4060db-4060de 481->487 484->475 488 406127 486->488 489 40610b-406125 SHGetPathFromIDListA CoTaskMemFree 486->489 487->486 491 4060e0-4060e7 487->491 488->477 489->476 489->488 492 4060ef-4060f1 491->492 492->476 492->486
                                                    APIs
                                                    • GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004060B2
                                                    • GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000,004050C4,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000), ref: 004060C5
                                                    • SHGetSpecialFolderLocation.SHELL32(004050C4,76F923A0,?,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000,004050C4,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000), ref: 00406101
                                                    • SHGetPathFromIDListA.SHELL32(76F923A0,Call), ref: 0040610F
                                                    • CoTaskMemFree.OLE32(76F923A0), ref: 0040611B
                                                    • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040613F
                                                    • lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000,004050C4,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000,00000000,0041AE28,76F923A0), ref: 00406191
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                    • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                    • API String ID: 717251189-817497017
                                                    • Opcode ID: c25c6e587ef3fde48e93a35018af7a99bc0d725d9e60a3ed05427843a892e885
                                                    • Instruction ID: 1b13e8ff18f2312f61c88a614d7ce51b6c0fc9f7833a06fa9902b6248b39176d
                                                    • Opcode Fuzzy Hash: c25c6e587ef3fde48e93a35018af7a99bc0d725d9e60a3ed05427843a892e885
                                                    • Instruction Fuzzy Hash: D561F170A00105AEDF20AF24CC90BBB3BA5EB55314F56413FE903BA2D2C67D4962CB5E
                                                    Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 562 401759-40177c call 402ac1 call 40596a 567 401786-401798 call 405f65 call 4058fd lstrcatA 562->567 568 40177e-401784 call 405f65 562->568 573 40179d-4017a3 call 4061cf 567->573 568->573 578 4017a8-4017ac 573->578 579 4017ae-4017b8 call 406268 578->579 580 4017df-4017e2 578->580 587 4017ca-4017dc 579->587 588 4017ba-4017c8 CompareFileTime 579->588 581 4017e4-4017e5 call 405ad9 580->581 582 4017ea-401806 call 405afe 580->582 581->582 590 401808-40180b 582->590 591 40187e-4018a7 call 40508c call 402f81 582->591 587->580 588->587 592 401860-40186a call 40508c 590->592 593 40180d-40184f call 405f65 * 2 call 405f87 call 405f65 call 405681 590->593 603 4018a9-4018ad 591->603 604 4018af-4018bb SetFileTime 591->604 605 401873-401879 592->605 593->578 625 401855-401856 593->625 603->604 607 4018c1-4018cc CloseHandle 603->607 604->607 608 40295a 605->608 611 402951-402954 607->611 612 4018d2-4018d5 607->612 613 40295c-402960 608->613 611->608 615 4018d7-4018e8 call 405f87 lstrcatA 612->615 616 4018ea-4018ed call 405f87 612->616 622 4018f2-4022e6 call 405681 615->622 616->622 622->613 625->605 627 401858-401859 625->627 627->592
                                                    APIs
                                                    • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes,00000000,00000000,00000031), ref: 00401798
                                                    • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes,00000000,00000000,00000031), ref: 004017C2
                                                      • Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,benevolently Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72
                                                      • Part of subcall function 0040508C: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000,0041AE28,76F923A0,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
                                                      • Part of subcall function 0040508C: lstrlenA.KERNEL32(004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000,0041AE28,76F923A0,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
                                                      • Part of subcall function 0040508C: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,004030DC,004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000,0041AE28,76F923A0), ref: 004050E8
                                                      • Part of subcall function 0040508C: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll), ref: 004050FA
                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                    • String ID: C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes$C:\Users\user\AppData\Local\Temp\nsn45FA.tmp$C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll$Call
                                                    • API String ID: 1941528284-1615695908
                                                    • Opcode ID: 4811c27f678321775648cb42fdf4a010893550d1e61fc14233a6adfccbf9552d
                                                    • Instruction ID: 024705dcfdf044f05b4b82656432081f20986447a00b4521f0a60d415ab43704
                                                    • Opcode Fuzzy Hash: 4811c27f678321775648cb42fdf4a010893550d1e61fc14233a6adfccbf9552d
                                                    • Instruction Fuzzy Hash: 4841B431A04515BECB107BB58C45EAF3679EF05369F60833BF421F20E1D67C89428A6D
                                                    Function 00402F81 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 629 402f81-402f95 630 402f97 629->630 631 402f9e-402fa7 629->631 630->631 632 402fb0-402fb5 631->632 633 402fa9 631->633 634 402fc5-402fd2 call 403193 632->634 635 402fb7-402fc0 call 4031a9 632->635 633->632 639 403181 634->639 640 402fd8-402fdc 634->640 635->634 641 403183-403184 639->641 642 402fe2-40302b GetTickCount 640->642 643 40312c-40312e 640->643 646 40318c-403190 641->646 647 403031-403039 642->647 648 403189 642->648 644 403130-403133 643->644 645 40316e-403171 643->645 644->648 651 403135 644->651 649 403173 645->649 650 403176-40317f call 403193 645->650 652 40303b 647->652 653 40303e-40304c call 403193 647->653 648->646 649->650 650->639 663 403186 650->663 656 403138-40313e 651->656 652->653 653->639 662 403052-40305b 653->662 659 403140 656->659 660 403142-403150 call 403193 656->660 659->660 660->639 666 403152-40315e call 405ba5 660->666 665 403061-403081 call 406422 662->665 663->648 671 403124-403126 665->671 672 403087-40309a GetTickCount 665->672 673 403160-40316a 666->673 674 403128-40312a 666->674 671->641 675 40309c-4030a4 672->675 676 4030df-4030e1 672->676 673->656 677 40316c 673->677 674->641 678 4030a6-4030aa 675->678 679 4030ac-4030dc MulDiv wsprintfA call 40508c 675->679 680 4030e3-4030e7 676->680 681 403118-40311c 676->681 677->648 678->676 678->679 679->676 684 4030e9-4030f0 call 405ba5 680->684 685 4030fe-403109 680->685 681->647 682 403122 681->682 682->648 689 4030f5-4030f7 684->689 687 40310c-403110 685->687 687->665 690 403116 687->690 689->674 691 4030f9-4030fc 689->691 690->648 691->687
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CountTick$wsprintf
                                                    • String ID: (TA$(TA$... %d%%$W`A
                                                    • API String ID: 551687249-3157881336
                                                    • Opcode ID: 46c4353731e2246c325a5ee8fa82e7dbf3443aa0b1f18f7fec91e964ca525be6
                                                    • Instruction ID: f4b3021151c61e236b0315b1fcc5adb3b60be84788d5942dbd3e7f3cce39453d
                                                    • Opcode Fuzzy Hash: 46c4353731e2246c325a5ee8fa82e7dbf3443aa0b1f18f7fec91e964ca525be6
                                                    • Instruction Fuzzy Hash: 86517D71900219EBDB10DF65DA4469E7BB8EF48356F14853BE800BB2D0C7789E41CBAD
                                                    Function 0040508C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 692 40508c-4050a1 693 405157-40515b 692->693 694 4050a7-4050b9 692->694 695 4050c4-4050d0 lstrlenA 694->695 696 4050bb-4050bf call 405f87 694->696 698 4050d2-4050e2 lstrlenA 695->698 699 4050ed-4050f1 695->699 696->695 698->693 700 4050e4-4050e8 lstrcatA 698->700 701 405100-405104 699->701 702 4050f3-4050fa SetWindowTextA 699->702 700->699 703 405106-405148 SendMessageA * 3 701->703 704 40514a-40514c 701->704 702->701 703->704 704->693 705 40514e-405151 704->705 705->693
                                                    APIs
                                                    • lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000,0041AE28,76F923A0,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
                                                    • lstrlenA.KERNEL32(004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000,0041AE28,76F923A0,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
                                                    • lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,004030DC,004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000,0041AE28,76F923A0), ref: 004050E8
                                                    • SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll), ref: 004050FA
                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
                                                    • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
                                                    • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                    • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll
                                                    • API String ID: 2531174081-28102199
                                                    • Opcode ID: 73176b0b033222a272c222bb19d3a1e41e441f303e298424a6cb10aa2d485b38
                                                    • Instruction ID: 508789985144291932d060d6ef0b432b589b283746e8f0e3613f73f9cddaab2c
                                                    • Opcode Fuzzy Hash: 73176b0b033222a272c222bb19d3a1e41e441f303e298424a6cb10aa2d485b38
                                                    • Instruction Fuzzy Hash: 9E217A71A00518BFDB119FA5CD85EDFBFA9EB05354F14807AF944AA290C6398A418F98
                                                    Function 00405552 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 706 405552-40559d CreateDirectoryA 707 4055a3-4055b0 GetLastError 706->707 708 40559f-4055a1 706->708 709 4055ca-4055cc 707->709 710 4055b2-4055c6 SetFileSecurityA 707->710 708->709 710->708 711 4055c8 GetLastError 710->711 711->709
                                                    APIs
                                                    • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405595
                                                    • GetLastError.KERNEL32 ref: 004055A9
                                                    • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055BE
                                                    • GetLastError.KERNEL32 ref: 004055C8
                                                    Strings
                                                    • C:\Users\user\Desktop, xrefs: 00405552
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405578
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                    • API String ID: 3449924974-1729097607
                                                    • Opcode ID: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
                                                    • Instruction ID: d93b5df8f7ffc7c008eac1e7bdc238e6dcac3e6f5ce479452586b7e310885e58
                                                    • Opcode Fuzzy Hash: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
                                                    • Instruction Fuzzy Hash: 550108B1C00219EADF11DBA1CD047EFBFB9EF04354F00803AD545B6290D77896088FA9
                                                    Function 0040628F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 712 40628f-4062af GetSystemDirectoryA 713 4062b1 712->713 714 4062b3-4062b5 712->714 713->714 715 4062c5-4062c7 714->715 716 4062b7-4062bf 714->716 718 4062c8-4062fa wsprintfA LoadLibraryExA 715->718 716->715 717 4062c1-4062c3 716->717 717->718
                                                    APIs
                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062A6
                                                    • wsprintfA.USER32 ref: 004062DF
                                                    • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                    • String ID: %s%s.dll$UXTHEME$\
                                                    • API String ID: 2200240437-4240819195
                                                    • Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                                    • Instruction ID: 90c405808a5079913e9fc86ee6967ca4c100a0af48b71fe7beb271d56a4ee20c
                                                    • Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                                    • Instruction Fuzzy Hash: 89F0F630510609AADB15AB64DD0DFEB365CAB08304F1405BEA686F11C1EA78E9398B99
                                                    Function 00405B2D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 719 405b2d-405b37 720 405b38-405b63 GetTickCount GetTempFileNameA 719->720 721 405b72-405b74 720->721 722 405b65-405b67 720->722 724 405b6c-405b6f 721->724 722->720 723 405b69 722->723 723->724
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 00405B41
                                                    • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B5B
                                                    Strings
                                                    • nsa, xrefs: 00405B38
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B30
                                                    • "C:\Users\user\Desktop\asXlZG3aW6.exe", xrefs: 00405B2D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CountFileNameTempTick
                                                    • String ID: "C:\Users\user\Desktop\asXlZG3aW6.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                    • API String ID: 1716503409-705149089
                                                    • Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                                    • Instruction ID: 439a7608ba980c1fff97265348ba0c774925dff8d33d3cb941cf273fff524f8a
                                                    • Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                                    • Instruction Fuzzy Hash: B0F082363042086BDB108F66DD04B9B7BA9DF91750F14803BFA48AA280D6B4E9588799
                                                    Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 725 100016bd-100016f9 call 10001a5d 729 1000180a-1000180c 725->729 730 100016ff-10001703 725->730 731 10001705-1000170b call 100021b0 730->731 732 1000170c-10001719 call 100021fa 730->732 731->732 737 10001749-10001750 732->737 738 1000171b-10001720 732->738 739 10001770-10001774 737->739 740 10001752-1000176e call 100023d8 call 10001559 call 10001266 GlobalFree 737->740 741 10001722-10001723 738->741 742 1000173b-1000173e 738->742 745 100017b2-100017b8 call 100023d8 739->745 746 10001776-100017b0 call 10001559 call 100023d8 739->746 766 100017b9-100017bd 740->766 743 10001725-10001726 741->743 744 1000172b-1000172c call 100027e4 741->744 742->737 747 10001740-10001741 call 10002a9f 742->747 750 10001733-10001739 call 10002587 743->750 751 10001728-10001729 743->751 757 10001731 744->757 745->766 746->766 760 10001746 747->760 765 10001748 750->765 751->737 751->744 757->760 760->765 765->737 769 100017fa-10001801 766->769 770 100017bf-100017cd call 1000239e 766->770 769->729 773 10001803-10001804 GlobalFree 769->773 775 100017e5-100017ec 770->775 776 100017cf-100017d2 770->776 773->729 775->769 778 100017ee-100017f9 call 100014e2 775->778 776->775 777 100017d4-100017dc 776->777 777->775 779 100017de-100017df FreeLibrary 777->779 778->769 779->775
                                                    APIs
                                                      • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
                                                      • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
                                                      • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE
                                                    • GlobalFree.KERNEL32(00000000), ref: 10001768
                                                    • FreeLibrary.KERNEL32(?), ref: 100017DF
                                                    • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                      • Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2
                                                      • Part of subcall function 10002587: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025F9
                                                      • Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,10004010,00000000,10001695,00000000), ref: 10001572
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3951299433.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.3951283153.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951313366.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951330207.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Global$Free$Alloc$Librarylstrcpy
                                                    • String ID:
                                                    • API String ID: 1791698881-3916222277
                                                    • Opcode ID: d00fcf5c1a7409290317dea9c84c75534a881091bfcc635988d0727071c870ea
                                                    • Instruction ID: 474564f2ddd1a30fda7ef2e88bb39d7445f8f4f5c00c78564696995dcbc9c57a
                                                    • Opcode Fuzzy Hash: d00fcf5c1a7409290317dea9c84c75534a881091bfcc635988d0727071c870ea
                                                    • Instruction Fuzzy Hash: C4319E79408205DAFB41DF649CC5BCA37ECFB042D5F118465FA0A9A09EDF78A8858B60
                                                    Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 782 401c04-401c24 call 402a9f * 2 787 401c30-401c34 782->787 788 401c26-401c2d call 402ac1 782->788 790 401c40-401c46 787->790 791 401c36-401c3d call 402ac1 787->791 788->787 792 401c94-401cba call 402ac1 * 2 FindWindowExA 790->792 793 401c48-401c64 call 402a9f * 2 790->793 791->790 807 401cc0 792->807 805 401c84-401c92 SendMessageA 793->805 806 401c66-401c82 SendMessageTimeoutA 793->806 805->807 808 401cc3-401cc6 806->808 807->808 809 402951-402960 808->809 810 401ccc 808->810 810->809
                                                    APIs
                                                    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
                                                    • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Timeout
                                                    • String ID: !
                                                    • API String ID: 1777923405-2657877971
                                                    • Opcode ID: 8c877d5979cff4b3ce41adc99c27d6fc77d82e5cc3f5856b61787971cd0c7bbc
                                                    • Instruction ID: bdc01a124477b6dd133b62af0939e03034df0dda3ad70936a50ebcebbcd9d6cc
                                                    • Opcode Fuzzy Hash: 8c877d5979cff4b3ce41adc99c27d6fc77d82e5cc3f5856b61787971cd0c7bbc
                                                    • Instruction Fuzzy Hash: 9F218F71A44209BEEB15DFA5D946AED7BB0EB84304F14803EF505F61D1DA7889408F28
                                                    Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402028
                                                      • Part of subcall function 0040508C: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000,0041AE28,76F923A0,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
                                                      • Part of subcall function 0040508C: lstrlenA.KERNEL32(004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000,0041AE28,76F923A0,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
                                                      • Part of subcall function 0040508C: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,004030DC,004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,00000000,0041AE28,76F923A0), ref: 004050E8
                                                      • Part of subcall function 0040508C: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll), ref: 004050FA
                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148
                                                    • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402038
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00402048
                                                    • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                    • String ID:
                                                    • API String ID: 2987980305-0
                                                    • Opcode ID: 8f2f68fe1260159639bfb28b43f5715fe2f8d879f7a621fd8f0c8717e3dae319
                                                    • Instruction ID: 3b54ba627a5d3606a08c88bc2c88048367fe0e0edc5ddf34d35ff9eabd327fef
                                                    • Opcode Fuzzy Hash: 8f2f68fe1260159639bfb28b43f5715fe2f8d879f7a621fd8f0c8717e3dae319
                                                    • Instruction Fuzzy Hash: A721DB71A04225ABCF207FA48E49B6E7670AB14358F20413BFB11B62D0CBBD4942966E
                                                    Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00405996: CharNextA.USER32(?,?,0042BC78,?,00405A02,0042BC78,0042BC78,76F93410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A4
                                                      • Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059A9
                                                      • Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059BD
                                                    • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                      • Part of subcall function 00405552: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405595
                                                    • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes,00000000,00000000,000000F0), ref: 0040163C
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes, xrefs: 00401631
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                    • String ID: C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes
                                                    • API String ID: 1892508949-1468882602
                                                    • Opcode ID: 6e9d8b0bdd6535f5ad521cfe25d2546e39bd3477eb11d702e3e3618c9b95e55c
                                                    • Instruction ID: 323619fe81b3529d61600e1e0eff0ce417d4ac591c1c2d39a63079fc07480124
                                                    • Opcode Fuzzy Hash: 6e9d8b0bdd6535f5ad521cfe25d2546e39bd3477eb11d702e3e3618c9b95e55c
                                                    • Instruction Fuzzy Hash: 2B11C431608152EBCB217BA54D415BF2AB4DA96324B28093FE9D1B22E2D63D4D425A2E
                                                    Function 00405E4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,00406090,80000002), ref: 00405E92
                                                    • RegCloseKey.ADVAPI32(?,?,00406090,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp\System.dll), ref: 00405E9D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CloseQueryValue
                                                    • String ID: Call
                                                    • API String ID: 3356406503-1824292864
                                                    • Opcode ID: 792f73651c5f0961c7d778f0fa8b648c5274768340d5a4a072e3937443cccb1f
                                                    • Instruction ID: 9bec2c93df88531f10cf132d6bbbb6393b4a4aad9e102c5e2669e285c315f56d
                                                    • Opcode Fuzzy Hash: 792f73651c5f0961c7d778f0fa8b648c5274768340d5a4a072e3937443cccb1f
                                                    • Instruction Fuzzy Hash: B7015A72500619ABEF228F61CD09FDB3BACEF55365F00802AF955A2191D378DA54CBA8
                                                    Function 00405604 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 0040562D
                                                    • CloseHandle.KERNEL32(?), ref: 0040563A
                                                    Strings
                                                    • Error launching installer, xrefs: 00405617
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateHandleProcess
                                                    • String ID: Error launching installer
                                                    • API String ID: 3712363035-66219284
                                                    • Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                                                    • Instruction ID: a14d50d96640d218925096829ca07d1800dc2b789f456133151d87fd2ad2a836
                                                    • Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                                                    • Instruction Fuzzy Hash: 9EE046F0640209BFEB109FA0ED49F7F7AACEB00704F404921BD00F2290E67499088A7C
                                                    Function 00402245 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00406268: FindFirstFileA.KERNELBASE(76F93410,0042C0C0,0042BC78,00405A2E,0042BC78,0042BC78,00000000,0042BC78,0042BC78,76F93410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,76F93410,C:\Users\user\AppData\Local\Temp\), ref: 00406273
                                                      • Part of subcall function 00406268: FindClose.KERNELBASE(00000000), ref: 0040627F
                                                    • lstrlenA.KERNEL32 ref: 00402285
                                                    • lstrlenA.KERNEL32(00000000), ref: 0040228F
                                                    • SHFileOperationA.SHELL32(?,?,?,00000000), ref: 004022B7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: FileFindlstrlen$CloseFirstOperation
                                                    • String ID:
                                                    • API String ID: 1486964399-0
                                                    • Opcode ID: ff20544c2ed3dac402f8f2b813109ebe9ee71c32dfbbaf7ddd8f9ee1c86ac438
                                                    • Instruction ID: d5f3cc7070b45be46c117aed2d447856533355de8cadbfc7f2d6224e08b7e174
                                                    • Opcode Fuzzy Hash: ff20544c2ed3dac402f8f2b813109ebe9ee71c32dfbbaf7ddd8f9ee1c86ac438
                                                    • Instruction Fuzzy Hash: BC118671A04205AACB10EFF59949A9EBBB8EF04304F10403FB405FB2C1D6BCC5418B65
                                                    Function 004024DF Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402511
                                                    • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 00402524
                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsn45FA.tmp,00000000,00000011,00000002), ref: 0040253C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Enum$CloseValue
                                                    • String ID:
                                                    • API String ID: 397863658-0
                                                    • Opcode ID: c7e20c0ea14cb53cf7e90ffa39c0c47fed26c4d9fa7a05aed64f9bce97d858d0
                                                    • Instruction ID: 7cc4705ec6358afed730085f06e11861ce0f90fa753b06a9139c19a758a622df
                                                    • Opcode Fuzzy Hash: c7e20c0ea14cb53cf7e90ffa39c0c47fed26c4d9fa7a05aed64f9bce97d858d0
                                                    • Instruction Fuzzy Hash: D801B171A04105BFE7159F699E9CABF7A7CDF40348F10003EF405A61C0DAB84A459769
                                                    Function 0040246D Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040249D
                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsn45FA.tmp,00000000,00000011,00000002), ref: 0040253C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CloseQueryValue
                                                    • String ID:
                                                    • API String ID: 3356406503-0
                                                    • Opcode ID: 2eaecf5d1f25b3e9b3db91f8049c91aae304fb395841604b111722c4aac40b40
                                                    • Instruction ID: 63e30908c11e451fd6d37fbe2862c18829a27713504d584fb03aa75526d5f0f4
                                                    • Opcode Fuzzy Hash: 2eaecf5d1f25b3e9b3db91f8049c91aae304fb395841604b111722c4aac40b40
                                                    • Instruction Fuzzy Hash: 0D110471A00205EECB14CF64DA889AF7AB4DF04304F20403FE446B72C0D6B88A42DB29
                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                    • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
                                                    • Instruction ID: f90ead50954d10692fd747fd35726c7c61e2fcf071c036ef7d407bcf2d164b43
                                                    • Opcode Fuzzy Hash: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
                                                    • Instruction Fuzzy Hash: 4601F4317242109BE7199B399D04B6A3698E710719F54823FF852F61F1D678EC028B4C
                                                    Function 0040237B Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 0040239C
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 004023A5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CloseDeleteValue
                                                    • String ID:
                                                    • API String ID: 2831762973-0
                                                    • Opcode ID: 2d182bd5bb81964bf3d6c73abe0e5da04b16bc02b1ff3d310bbf2a1c0b54d073
                                                    • Instruction ID: 9f7344dbbbe295334ba4b59a8a7f158e9db2909d035d2b37875cf389d282e7c6
                                                    • Opcode Fuzzy Hash: 2d182bd5bb81964bf3d6c73abe0e5da04b16bc02b1ff3d310bbf2a1c0b54d073
                                                    • Instruction Fuzzy Hash: D3F09632B04111ABD710BFB89B8EABE76A89B40354F25003FEA05B71C1D9FC4D02476D
                                                    Function 00401E25 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(00000000,00000000), ref: 00401E43
                                                    • EnableWindow.USER32(00000000,00000000), ref: 00401E4E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Window$EnableShow
                                                    • String ID:
                                                    • API String ID: 1136574915-0
                                                    • Opcode ID: a14bac78f0f093d0819e34cdb63e8fe71bbe50b719fbc7a327d4eb1dfebe48e0
                                                    • Instruction ID: 3dc443410be61cb95396677418e376cd67e931bc8a1c74ede8e95758ff339cf3
                                                    • Opcode Fuzzy Hash: a14bac78f0f093d0819e34cdb63e8fe71bbe50b719fbc7a327d4eb1dfebe48e0
                                                    • Instruction Fuzzy Hash: B3E01272B082129FD714EBB6AA495AE77B4EB40325B10403BE415F11D1DE7888419F5D
                                                    Function 004062FD Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0040632A
                                                      • Part of subcall function 0040628F: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062A6
                                                      • Part of subcall function 0040628F: wsprintfA.USER32 ref: 004062DF
                                                      • Part of subcall function 0040628F: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                    • String ID:
                                                    • API String ID: 2547128583-0
                                                    • Opcode ID: ec1a34f72467b36b6d3b50eb043fa95794862aef332a9bc5e598c085f3d55eb5
                                                    • Instruction ID: 0a5867ae11c12db0e7684f2d0d3995392d51af775f5f68958dac655171f1c28e
                                                    • Opcode Fuzzy Hash: ec1a34f72467b36b6d3b50eb043fa95794862aef332a9bc5e598c085f3d55eb5
                                                    • Instruction Fuzzy Hash: 83E08C32604221ABD210AB749E0493B63A8EF98740306483EF94AF2240DB3C9C7296A9
                                                    Function 00405AFE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\asXlZG3aW6.exe,80000000,00000003), ref: 00405B02
                                                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: File$AttributesCreate
                                                    • String ID:
                                                    • API String ID: 415043291-0
                                                    • Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                                    • Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
                                                    • Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                                    • Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19
                                                    Function 004055CF Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateDirectoryA.KERNELBASE(?,00000000,004031E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 004055D5
                                                    • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055E3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectoryErrorLast
                                                    • String ID:
                                                    • API String ID: 1375471231-0
                                                    • Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                                    • Instruction ID: ff59ce228810ab0b399ea54ffc24e93d20618ce1ebfa51e1db99450e15aaec59
                                                    • Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                                    • Instruction Fuzzy Hash: FAC08C30200101ABDB010B318F08B073A62AB80380F0288396042E00B4CA308004C92E
                                                    Function 100027E4 Relevance: 2.7, APIs: 2, Instructions: 156memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAlloc.KERNELBASE(00000000), ref: 100028A3
                                                    • GetLastError.KERNEL32 ref: 100029AA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3951299433.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.3951283153.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951313366.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951330207.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: AllocErrorLastVirtual
                                                    • String ID:
                                                    • API String ID: 497505419-0
                                                    • Opcode ID: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
                                                    • Instruction ID: 7088a7f0c219bdfd589eed4d744adbaf06b55c7882bf085a68ef70f7e309f44b
                                                    • Opcode Fuzzy Hash: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
                                                    • Instruction Fuzzy Hash: 385194BA908215DFF711EF60D9C575937A8EB443E0F21842AEA08E721DDF34A9818B55
                                                    Function 004025C4 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: wsprintf
                                                    • String ID:
                                                    • API String ID: 2111968516-0
                                                    • Opcode ID: e235dcb744ebcc946608d91797e9ef60a83683288e53699933f586765b830fd2
                                                    • Instruction ID: 7874e25a1fd417281295b021b6ee833f9e9a2ca8db09fa59ccc2d9f5114d9ff1
                                                    • Opcode Fuzzy Hash: e235dcb744ebcc946608d91797e9ef60a83683288e53699933f586765b830fd2
                                                    • Instruction Fuzzy Hash: 33213B70D04299BECF318B689548AAEBF709F11304F14847FE4D0B62D1C5BE8A82CF19
                                                    Function 00402682 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026A0
                                                      • Part of subcall function 00405EC3: wsprintfA.USER32 ref: 00405ED0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: FilePointerwsprintf
                                                    • String ID:
                                                    • API String ID: 327478801-0
                                                    • Opcode ID: 7662d08dcc9a9cf2f1584379864cce10a11a63027859f8beda7d63d36f93d70d
                                                    • Instruction ID: f1c15ab6bd15a9d9cc501090f462d0785fe3296bea48be5e975bb3477ad6cc2f
                                                    • Opcode Fuzzy Hash: 7662d08dcc9a9cf2f1584379864cce10a11a63027859f8beda7d63d36f93d70d
                                                    • Instruction Fuzzy Hash: 49E06DB2B04216AED700BBA5AA49DBFBB68DB40314F20403BF544F10C1CA788D029B2D
                                                    Function 004022F6 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040232F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfileStringWrite
                                                    • String ID:
                                                    • API String ID: 390214022-0
                                                    • Opcode ID: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
                                                    • Instruction ID: f472a2c509351f333654906e099da5e6dfd11f42980ce41b172c94471a0d1cd1
                                                    • Opcode Fuzzy Hash: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
                                                    • Instruction Fuzzy Hash: 8BE01A31B401246ADB207AB10E8E96E14989BC4744B29053ABE05B62C3DDBC4C414AB9
                                                    Function 00405B76 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031A6,00000000,00000000,00402FD0,000000FF,00000004,00000000,00000000,00000000), ref: 00405B8A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                                    • Instruction ID: d6e1a33fd195441beba49eedd959afadaf6b56434895abd4101947bffd5346ea
                                                    • Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                                    • Instruction Fuzzy Hash: 21E0EC3221065EABDF10AE559C04AEB7B6CEB05360F004437F915E3150D635F9219BA8
                                                    Function 00405BA5 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040315C,00000000,00415428,000000FF,00415428,000000FF,000000FF,00000004,00000000), ref: 00405BB9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: FileWrite
                                                    • String ID:
                                                    • API String ID: 3934441357-0
                                                    • Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                    • Instruction ID: 823d1a00ca840d25d454e1cdeec80758da7ba5e35e2b738bcb0e321267d0793f
                                                    • Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                    • Instruction Fuzzy Hash: DEE0EC3222075EAFDF50AE559C00AEB7B7CEB05760F004437F925E2190E631F9219BAC
                                                    Function 10002709 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002727
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3951299433.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.3951283153.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951313366.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951330207.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID:
                                                    • API String ID: 544645111-0
                                                    • Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                                    • Instruction ID: e09dfa788fffc30199ef0a9f627684cb70e95bce5f527532b7ad3e980fb418b3
                                                    • Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                                    • Instruction Fuzzy Hash: 67F09BF19092A0DEF360DF688CC47063FE4E3983D5B03852AE358F6269EB7441448B19
                                                    Function 00405DEB Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405E79,?,?,?,?,00000002,Call), ref: 00405E0F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Open
                                                    • String ID:
                                                    • API String ID: 71445658-0
                                                    • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                    • Instruction ID: dc79c12829c29cd0bf07e2dbeefb197667dc07549b84f10616122407915bdb74
                                                    • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                    • Instruction Fuzzy Hash: E4D0123210060DBBDF115F90ED05FAB371DEB48314F004826FE45A4091E775D670AF98
                                                    Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: f78411d9339179b1bfaf7e550eba22c56aaeced5b6accf1d661454cbe72d999c
                                                    • Instruction ID: 006896c4a7345e69559ade13805c89d17ea4f3f6c129434cfdd3d67a61d48342
                                                    • Opcode Fuzzy Hash: f78411d9339179b1bfaf7e550eba22c56aaeced5b6accf1d661454cbe72d999c
                                                    • Instruction Fuzzy Hash: 10D012727081129BCB10EBA8AB48A9E77A49B50324B308137D515F31D1E6B9C945672D
                                                    Function 00404072 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageA.USER32(00010442,00000000,00000000,00000000), ref: 00404084
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
                                                    • Instruction ID: da44989f2a2ecf2e1eb1395d2787a6f6d01b979c61270caf9d732ef337717c06
                                                    • Opcode Fuzzy Hash: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
                                                    • Instruction Fuzzy Hash: B6C04C717406006AEA208B519E49F0677586750B11F1484397751F50D0C675E410DE1C
                                                    Function 00405647 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShellExecuteExA.SHELL32(?,0040444B,?), ref: 00405656
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: ExecuteShell
                                                    • String ID:
                                                    • API String ID: 587946157-0
                                                    • Opcode ID: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
                                                    • Instruction ID: fedc52184ae6edd1acf052e6849869f1d6de8b7351bc39b82099fbd6471e80b9
                                                    • Opcode Fuzzy Hash: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
                                                    • Instruction Fuzzy Hash: ECC092B2000200DFE301CF90CB18F077BE8AF55306F028058E1C49A160C7788810CB69
                                                    Function 0040405B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageA.USER32(00000028,?,00000001,00403E8B), ref: 00404069
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
                                                    • Instruction ID: 0adc9c0e194aa77c868d6ef978719a9753de7db756a7c543b14a3307e76eee0a
                                                    • Opcode Fuzzy Hash: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
                                                    • Instruction Fuzzy Hash: B2B09235280A00AAEA215B00DE09F467A62A764701F408038B240250B1CAB200A6DB18
                                                    Function 004031A9 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F0F,?), ref: 004031B7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                    • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                    • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                    • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                    Function 00404048 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • KiUserCallbackDispatcher.NTDLL(?,00403E24), ref: 00404052
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CallbackDispatcherUser
                                                    • String ID:
                                                    • API String ID: 2492992576-0
                                                    • Opcode ID: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
                                                    • Instruction ID: d750239a91494785f156a03a2b8d5ac9aaa4eec5ddabb582aaccf4f48b9497e5
                                                    • Opcode Fuzzy Hash: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
                                                    • Instruction Fuzzy Hash: C9A012710000009BCB015B00EF04C057F61AB507007018434A2404003186310432FF1D

                                                    Non-executed Functions

                                                    Function 00404A09 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404A21
                                                    • GetDlgItem.USER32(?,00000408), ref: 00404A2C
                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A76
                                                    • LoadBitmapA.USER32(0000006E), ref: 00404A89
                                                    • SetWindowLongA.USER32(?,000000FC,00405000), ref: 00404AA2
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AB6
                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AC8
                                                    • SendMessageA.USER32(?,00001109,00000002), ref: 00404ADE
                                                    • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AEA
                                                    • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AFC
                                                    • DeleteObject.GDI32(00000000), ref: 00404AFF
                                                    • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B2A
                                                    • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B36
                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BCB
                                                    • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BF6
                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C0A
                                                    • GetWindowLongA.USER32(?,000000F0), ref: 00404C39
                                                    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C47
                                                    • ShowWindow.USER32(?,00000005), ref: 00404C58
                                                    • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D55
                                                    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DBA
                                                    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DCF
                                                    • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DF3
                                                    • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E13
                                                    • ImageList_Destroy.COMCTL32(00000000), ref: 00404E28
                                                    • GlobalFree.KERNEL32(00000000), ref: 00404E38
                                                    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EB1
                                                    • SendMessageA.USER32(?,00001102,?,?), ref: 00404F5A
                                                    • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F69
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F89
                                                    • ShowWindow.USER32(?,00000000), ref: 00404FD7
                                                    • GetDlgItem.USER32(?,000003FE), ref: 00404FE2
                                                    • ShowWindow.USER32(00000000), ref: 00404FE9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                    • String ID: $M$N
                                                    • API String ID: 1638840714-813528018
                                                    • Opcode ID: 5f3c4739e10bdbc6f95dd4db3d934c78b0b3f0b6688006dd2a073d50567dd4f5
                                                    • Instruction ID: 5e7fd9033250abe3372a8cc080de2667683fe8f184775387c018329cb0bba4e6
                                                    • Opcode Fuzzy Hash: 5f3c4739e10bdbc6f95dd4db3d934c78b0b3f0b6688006dd2a073d50567dd4f5
                                                    • Instruction Fuzzy Hash: 9502A1B0A00209AFEB20DF55DD85AAE7BB5FB84315F14413AFA10B62E1C7789D42CF58
                                                    Function 00404496 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003FB), ref: 004044E5
                                                    • SetWindowTextA.USER32(00000000,?), ref: 0040450F
                                                    • SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 004045C0
                                                    • CoTaskMemFree.OLE32(00000000), ref: 004045CB
                                                    • lstrcmpiA.KERNEL32(Call,benevolently Setup: Installing), ref: 004045FD
                                                    • lstrcatA.KERNEL32(?,Call), ref: 00404609
                                                    • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040461B
                                                      • Part of subcall function 00405665: GetDlgItemTextA.USER32(?,?,00000400,00404652), ref: 00405678
                                                      • Part of subcall function 004061CF: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\asXlZG3aW6.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406227
                                                      • Part of subcall function 004061CF: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406234
                                                      • Part of subcall function 004061CF: CharNextA.USER32(?,"C:\Users\user\Desktop\asXlZG3aW6.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406239
                                                      • Part of subcall function 004061CF: CharPrevA.USER32(?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406249
                                                    • GetDiskFreeSpaceA.KERNEL32(00429840,?,?,0000040F,?,00429840,00429840,?,00000001,00429840,?,?,000003FB,?), ref: 004046D9
                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046F4
                                                      • Part of subcall function 0040484D: lstrlenA.KERNEL32(benevolently Setup: Installing,benevolently Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404768,000000DF,00000000,00000400,?), ref: 004048EB
                                                      • Part of subcall function 0040484D: wsprintfA.USER32 ref: 004048F3
                                                      • Part of subcall function 0040484D: SetDlgItemTextA.USER32(?,benevolently Setup: Installing), ref: 00404906
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                    • String ID: 4y~$A$C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243$Call$benevolently Setup: Installing
                                                    • API String ID: 2624150263-1647103667
                                                    • Opcode ID: 253962bdf1ca56d496f286ca68f5b659c957982d53365147659bd32eacec062f
                                                    • Instruction ID: e7c3eafb31c7d15e6a6da749512948d226074c80576101813d8e7fa34d4e7a23
                                                    • Opcode Fuzzy Hash: 253962bdf1ca56d496f286ca68f5b659c957982d53365147659bd32eacec062f
                                                    • Instruction Fuzzy Hash: 44A190B1900209ABDB11AFA6CD45AAFB7B8EF85314F14843BF605B72D1D77C89418B2D
                                                    Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540stringmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D
                                                    • GlobalAlloc.KERNEL32(00000040,000014A4), ref: 10001B67
                                                    • lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
                                                    • lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
                                                    • GlobalFree.KERNEL32(00000000), ref: 10001BCC
                                                    • GlobalFree.KERNEL32(?), ref: 10001CC4
                                                    • GlobalFree.KERNEL32(?), ref: 10001CC9
                                                    • GlobalFree.KERNEL32(?), ref: 10001CCE
                                                    • GlobalFree.KERNEL32(00000000), ref: 10001E76
                                                    • lstrcpyA.KERNEL32(?,?), ref: 10001FCA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3951299433.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.3951283153.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951313366.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951330207.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Global$Free$lstrcpy$Alloc
                                                    • String ID:
                                                    • API String ID: 4227406936-0
                                                    • Opcode ID: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
                                                    • Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
                                                    • Opcode Fuzzy Hash: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
                                                    • Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51
                                                    Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.OLE32(00408514,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
                                                    • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes, xrefs: 0040218D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: ByteCharCreateInstanceMultiWide
                                                    • String ID: C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes
                                                    • API String ID: 123533781-1468882602
                                                    • Opcode ID: 3ab9ca111cfd16ea316d8908730db186f13cf70328ad1dfde5033f2efd3f2ba1
                                                    • Instruction ID: 70e90dd273e36d6cf470b0c6c9ff695bb876e65ea6d8ae05c01ad1deac9bcbee
                                                    • Opcode Fuzzy Hash: 3ab9ca111cfd16ea316d8908730db186f13cf70328ad1dfde5033f2efd3f2ba1
                                                    • Instruction Fuzzy Hash: D9512775A00208BFCF10DFE4C988A9DBBB5EF48318F2045AAF915EB2D1DA799941CF14
                                                    Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: FileFindFirst
                                                    • String ID:
                                                    • API String ID: 1974802433-0
                                                    • Opcode ID: 35474e701519af4a3bfe5b21ab3a1074e282d3bfb0b95cafabb6a5a8f21aa47d
                                                    • Instruction ID: 5589ad20af1132df25b1d4da55578e461c11660e8300270abb34f4e41d1b37c2
                                                    • Opcode Fuzzy Hash: 35474e701519af4a3bfe5b21ab3a1074e282d3bfb0b95cafabb6a5a8f21aa47d
                                                    • Instruction Fuzzy Hash: 8BF0A0726041119AD710E7B49999EEEB778DB21324F60057BE685F20C1C6B88A469B2A
                                                    Function 00406742 Relevance: .3, Instructions: 334COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
                                                    • Instruction ID: 12ef56279526f9f53f22afc89151adbe845766d01d6fb7ada6890335ffbed449
                                                    • Opcode Fuzzy Hash: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
                                                    • Instruction Fuzzy Hash: 5EE19A7190070ADFCB24CF58C980BAABBF1EB45305F15852EE497A72D1E338AA91CF44
                                                    Function 00406F19 Relevance: .3, Instructions: 300COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
                                                    • Instruction ID: 968ea090ea57439d934916100a42e081e4144f1e312078ddc892fc3721ce49e9
                                                    • Opcode Fuzzy Hash: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
                                                    • Instruction Fuzzy Hash: 18C14A31E0421ACBCF14CF68D4905EEBBB2BF99314F25866AD8567B380D734A942CF95
                                                    Function 0040416F Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 202windowstringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041FA
                                                    • GetDlgItem.USER32(00000000,000003E8), ref: 0040420E
                                                    • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040422C
                                                    • GetSysColor.USER32(?), ref: 0040423D
                                                    • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040424C
                                                    • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040425B
                                                    • lstrlenA.KERNEL32(?), ref: 0040425E
                                                    • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040426D
                                                    • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404282
                                                    • GetDlgItem.USER32(?,0000040A), ref: 004042E4
                                                    • SendMessageA.USER32(00000000), ref: 004042E7
                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404312
                                                    • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404352
                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 00404361
                                                    • SetCursor.USER32(00000000), ref: 0040436A
                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 00404380
                                                    • SetCursor.USER32(00000000), ref: 00404383
                                                    • SendMessageA.USER32(00000111,00000001,00000000), ref: 004043AF
                                                    • SendMessageA.USER32(00000010,00000000,00000000), ref: 004043C3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                    • String ID: 4y~$:A@$Call$N
                                                    • API String ID: 3103080414-2095473053
                                                    • Opcode ID: cd245b479e67a0965af24715bd7e729d27bd81987a0dae74a39f742a14bba925
                                                    • Instruction ID: 4cc5751811e84191dd39768f0d3a0055f5535ab869bb222e46a2b56927204bf5
                                                    • Opcode Fuzzy Hash: cd245b479e67a0965af24715bd7e729d27bd81987a0dae74a39f742a14bba925
                                                    • Instruction Fuzzy Hash: DA6183B1A00205BFEB10AF61DD45F6A7B69EB84715F00413AFB05BA1D1C7B8A951CF98
                                                    Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                    • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                    • DrawTextA.USER32(00000000,benevolently Setup,000000FF,00000010,00000820), ref: 00401156
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                    • String ID: F$benevolently Setup
                                                    • API String ID: 941294808-4072580303
                                                    • Opcode ID: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
                                                    • Instruction ID: bc05fa60d2536021e17fc8d2ced0f843766159cda975d832d6f25ccf31630e85
                                                    • Opcode Fuzzy Hash: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
                                                    • Instruction Fuzzy Hash: C8419C71800209AFCF058F95DE459AFBBB9FF44310F00802EF9A1AA1A0C774D955DFA4
                                                    Function 00405BD4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D65,?,?), ref: 00405C05
                                                    • GetShortPathNameA.KERNEL32(?,0042C600,00000400), ref: 00405C0E
                                                      • Part of subcall function 00405A63: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A73
                                                      • Part of subcall function 00405A63: lstrlenA.KERNEL32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA5
                                                    • GetShortPathNameA.KERNEL32(?,0042CA00,00000400), ref: 00405C2B
                                                    • wsprintfA.USER32 ref: 00405C49
                                                    • GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405C84
                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C93
                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CCB
                                                    • SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D21
                                                    • GlobalFree.KERNEL32(00000000), ref: 00405D32
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D39
                                                      • Part of subcall function 00405AFE: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\asXlZG3aW6.exe,80000000,00000003), ref: 00405B02
                                                      • Part of subcall function 00405AFE: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                    • String ID: %s=%s$[Rename]
                                                    • API String ID: 2171350718-1727408572
                                                    • Opcode ID: f2ec23aa19f738889096a3ad1bd3946321de2aef01a06aa8690d73ef80469bf6
                                                    • Instruction ID: 17f8f1309641d4637e2ed4fc5cbc189083b9795c86085c8cd532ee5919f79a85
                                                    • Opcode Fuzzy Hash: f2ec23aa19f738889096a3ad1bd3946321de2aef01a06aa8690d73ef80469bf6
                                                    • Instruction Fuzzy Hash: 61310131601B19ABD2206B65AD8DF6B3A5CDF45714F14053BBA01F62D2EA7CA8018EBD
                                                    Function 004061CF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\asXlZG3aW6.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406227
                                                    • CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406234
                                                    • CharNextA.USER32(?,"C:\Users\user\Desktop\asXlZG3aW6.exe",76F93410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406239
                                                    • CharPrevA.USER32(?,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406249
                                                    Strings
                                                    • *?|<>/":, xrefs: 00406217
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004061D0
                                                    • "C:\Users\user\Desktop\asXlZG3aW6.exe", xrefs: 0040620B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Char$Next$Prev
                                                    • String ID: "C:\Users\user\Desktop\asXlZG3aW6.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 589700163-3305866562
                                                    • Opcode ID: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
                                                    • Instruction ID: ed3a47555f86895cac8e455d85beb05a749fa7fcd8deb799c497f9efd275ca90
                                                    • Opcode Fuzzy Hash: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
                                                    • Instruction Fuzzy Hash: D111E26180579029FB3226380C44B776F884F6A760F1900BFE8D2722C3CA7C5C62966E
                                                    Function 0040408D Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongA.USER32(?,000000EB), ref: 004040AA
                                                    • GetSysColor.USER32(00000000), ref: 004040C6
                                                    • SetTextColor.GDI32(?,00000000), ref: 004040D2
                                                    • SetBkMode.GDI32(?,?), ref: 004040DE
                                                    • GetSysColor.USER32(?), ref: 004040F1
                                                    • SetBkColor.GDI32(?,?), ref: 00404101
                                                    • DeleteObject.GDI32(?), ref: 0040411B
                                                    • CreateBrushIndirect.GDI32(?), ref: 00404125
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                    • String ID:
                                                    • API String ID: 2320649405-0
                                                    • Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                                                    • Instruction ID: 2d9fb341b818c34885f35f6e6d755d1b55c6e7706bb7847a6dc6733995099f15
                                                    • Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                                                    • Instruction Fuzzy Hash: 1A216F71500704ABCB219F68DE08A4BBBF8AF41714F048939EAD5F66A0C734E948CB64
                                                    Function 100023D8 Relevance: 10.6, APIs: 7, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D
                                                    • GlobalFree.KERNEL32(?), ref: 100024B3
                                                    • GlobalFree.KERNEL32(00000000), ref: 100024ED
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3951299433.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.3951283153.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951313366.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951330207.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Global$Free$Alloc
                                                    • String ID:
                                                    • API String ID: 1780285237-0
                                                    • Opcode ID: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
                                                    • Instruction ID: c0db1d51d0d8beb2da32add46ec64f24e8f484468aa98c5ce89375ba0c102a5a
                                                    • Opcode Fuzzy Hash: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
                                                    • Instruction Fuzzy Hash: 0831A9B1504211EFF322DB94CCC4C2B7BBDEB853D4B118929FA4193228CB31AC94DB62
                                                    Function 00404957 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404972
                                                    • GetMessagePos.USER32 ref: 0040497A
                                                    • ScreenToClient.USER32(?,?), ref: 00404994
                                                    • SendMessageA.USER32(?,00001111,00000000,?), ref: 004049A6
                                                    • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049CC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Message$Send$ClientScreen
                                                    • String ID: f
                                                    • API String ID: 41195575-1993550816
                                                    • Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                                    • Instruction ID: 403e93763916a0c69708d0661a5269b1e580af1e573dd698745729a1614bb606
                                                    • Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                                    • Instruction Fuzzy Hash: 02015EB190021DBAEB01DBA4DD85BFFBBFCAF55711F10412BBA50B61C0C7B499018BA5
                                                    Function 00402C61 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
                                                    • MulDiv.KERNEL32(00046D47,00000064,000476F0), ref: 00402CA7
                                                    • wsprintfA.USER32 ref: 00402CB7
                                                    • SetWindowTextA.USER32(?,?), ref: 00402CC7
                                                    • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD9
                                                    Strings
                                                    • verifying installer: %d%%, xrefs: 00402CB1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                    • String ID: verifying installer: %d%%
                                                    • API String ID: 1451636040-82062127
                                                    • Opcode ID: 8cf66896cf3f33f8ea8d40d262e26d06426d7b5af9806429cf1dba26c1fd6b47
                                                    • Instruction ID: 537944924eabc97b3cccf86cf440a0916c3cc685b10ad000e4021125f5d30dc2
                                                    • Opcode Fuzzy Hash: 8cf66896cf3f33f8ea8d40d262e26d06426d7b5af9806429cf1dba26c1fd6b47
                                                    • Instruction Fuzzy Hash: 3401FF7164020DFBEF209F61DD09EEE37A9AB04305F008039FA06A92D0DBB999558F59
                                                    Function 100021FA Relevance: 9.1, APIs: 6, Instructions: 137memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalFree.KERNEL32(00000000), ref: 10002348
                                                      • Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234
                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 100022C5
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022DA
                                                    • GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E9
                                                    • CLSIDFromString.OLE32(00000000,00000000), ref: 100022F7
                                                    • GlobalFree.KERNEL32(00000000), ref: 100022FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3951299433.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.3951283153.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951313366.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951330207.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
                                                    • String ID:
                                                    • API String ID: 3730416702-0
                                                    • Opcode ID: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
                                                    • Instruction ID: a642113aa4013a2ca06c871554e8d399cf46bf4099943ddf9e0960cc50565d32
                                                    • Opcode Fuzzy Hash: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
                                                    • Instruction Fuzzy Hash: A941BCB1508311EFF320DF648C84B6AB7E8FF443D0F11892AF946D61A9DB34AA40CB61
                                                    Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
                                                    • GlobalFree.KERNEL32(?), ref: 004027E5
                                                    • GlobalFree.KERNEL32(00000000), ref: 004027F8
                                                    • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
                                                    • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                    • String ID:
                                                    • API String ID: 2667972263-0
                                                    • Opcode ID: 0a6e144848f4cf5ec871b7427f26d1c5b8ffe33ee9db8fbfbd958a55083b1002
                                                    • Instruction ID: 6644526d81fa5c7ff175c86addd85cc92bc24fd3ec06af29a2511a4f4fc8a5d3
                                                    • Opcode Fuzzy Hash: 0a6e144848f4cf5ec871b7427f26d1c5b8ffe33ee9db8fbfbd958a55083b1002
                                                    • Instruction Fuzzy Hash: 3B21BC71800124BBDF216FA5DE89D9E7B79EF04324F10423AF924762E0CA784D418FA8
                                                    Function 0040484D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(benevolently Setup: Installing,benevolently Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404768,000000DF,00000000,00000400,?), ref: 004048EB
                                                    • wsprintfA.USER32 ref: 004048F3
                                                    • SetDlgItemTextA.USER32(?,benevolently Setup: Installing), ref: 00404906
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: ItemTextlstrlenwsprintf
                                                    • String ID: %u.%u%s%s$benevolently Setup: Installing
                                                    • API String ID: 3540041739-845447607
                                                    • Opcode ID: 9b3151ba7cee540e98112a4d3c0185064291859b30378dd226bea9325ccc70c9
                                                    • Instruction ID: 46e1028d5dd9cf3fa3a12b124fa319e283dc00677a7b855ac62dacd231200cde
                                                    • Opcode Fuzzy Hash: 9b3151ba7cee540e98112a4d3c0185064291859b30378dd226bea9325ccc70c9
                                                    • Instruction Fuzzy Hash: 8D11E477A041282BEB0075699C41EBF3298DB82374F24463BFE65F21D1E979CC1246E9
                                                    Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3951299433.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.3951283153.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951313366.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951330207.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: FreeGlobal
                                                    • String ID:
                                                    • API String ID: 2979337801-0
                                                    • Opcode ID: e61c022a33ae2d8226f4f9d8dc9768096fb4d6cd4e5c598d89deb3e57b8d12c3
                                                    • Instruction ID: adaf369aa6dab84e94bee76403d526b7d43184adb12fe210256c1aedb67fe499
                                                    • Opcode Fuzzy Hash: e61c022a33ae2d8226f4f9d8dc9768096fb4d6cd4e5c598d89deb3e57b8d12c3
                                                    • Instruction Fuzzy Hash: 43512536D04159AEFB55DFB488A4AEEBBF6EF453C0F124169E841B315DCA306E4087D2
                                                    Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(?), ref: 00401D98
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
                                                    • ReleaseDC.USER32(?,00000000), ref: 00401DCB
                                                    • CreateFontIndirectA.GDI32(0040B820), ref: 00401E1A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                    • String ID:
                                                    • API String ID: 3808545654-0
                                                    • Opcode ID: 4e723180d0b3fa804a5576cd7c509fc044a30b7d9b685e9650bac6fd0e0bc28f
                                                    • Instruction ID: e9269c0f41cd5a79e17a17131fa0488204b4df503fc5c3e11bd14e9e74a55962
                                                    • Opcode Fuzzy Hash: 4e723180d0b3fa804a5576cd7c509fc044a30b7d9b685e9650bac6fd0e0bc28f
                                                    • Instruction Fuzzy Hash: 24014072944344AEE7006BB4AE49BA97FE8EB15705F109439F141B61F2CB790405CF6D
                                                    Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?), ref: 00401D3F
                                                    • GetClientRect.USER32(00000000,?), ref: 00401D4C
                                                    • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
                                                    • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
                                                    • DeleteObject.GDI32(00000000), ref: 00401D8A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                    • String ID:
                                                    • API String ID: 1849352358-0
                                                    • Opcode ID: e7b13135481585f1ae21f8f3a2a21f2ebc81ae0f190e6cb519dc2edadbd9593c
                                                    • Instruction ID: b94dd0b2fc2efe961c915ac3dbaedcbaa59703da1128c811c259d0727350af9e
                                                    • Opcode Fuzzy Hash: e7b13135481585f1ae21f8f3a2a21f2ebc81ae0f190e6cb519dc2edadbd9593c
                                                    • Instruction Fuzzy Hash: 6EF0FFB2600515BFDB00EBA4DE88DAFB7BCEB44301B04447AF645F2191CA748D018B38
                                                    Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsn45FA.tmp,00000023,00000011,00000002), ref: 0040241B
                                                    • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsn45FA.tmp,00000000,00000011,00000002), ref: 00402458
                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsn45FA.tmp,00000000,00000011,00000002), ref: 0040253C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CloseValuelstrlen
                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsn45FA.tmp
                                                    • API String ID: 2655323295-1718577436
                                                    • Opcode ID: 0b155a889f0a1852a4c8b5c80891aed8b0995d715a5fa6eccbfd1d5d818aefb1
                                                    • Instruction ID: f3bc197a49376025d104d1766b7c26e04d62aafcfa214307c08bf0afb556c6f3
                                                    • Opcode Fuzzy Hash: 0b155a889f0a1852a4c8b5c80891aed8b0995d715a5fa6eccbfd1d5d818aefb1
                                                    • Instruction Fuzzy Hash: AD117271F00215BEDF10AFA59E89A9E7A74DB54314F20403AF908B61D1CAB84D419B68
                                                    Function 004058FD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00405903
                                                    • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 0040590C
                                                    • lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 0040591D
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004058FD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CharPrevlstrcatlstrlen
                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 2659869361-297319885
                                                    • Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                                                    • Instruction ID: 647ad7e742d71b16062aa4f61d1124f0b3f0fcedfae467302285f0529c6cb9e2
                                                    • Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                                                    • Instruction Fuzzy Hash: 46D0C9A2606A317AD21227159C09EDB6A4CCF57755B054076F640B61A1CA7C4D428BFE
                                                    Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
                                                    • RegCloseKey.ADVAPI32(?), ref: 00402C22
                                                    • RegCloseKey.ADVAPI32(?), ref: 00402C43
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Close$Enum
                                                    • String ID:
                                                    • API String ID: 464197530-0
                                                    • Opcode ID: 11be2661f8599cd0237f1c1554e4f8b4188825d64962de0b1740bf644c97f38e
                                                    • Instruction ID: b62f4967d327be975f6bbb281b4945b449d6b6e398a7fc8ef6fb9c274ae0afe8
                                                    • Opcode Fuzzy Hash: 11be2661f8599cd0237f1c1554e4f8b4188825d64962de0b1740bf644c97f38e
                                                    • Instruction Fuzzy Hash: 9A118832500109BBEF01AF91CF09B9E3B79EF08341F104036BA05B50E0E7B4EE52AB68
                                                    Function 00402CE4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(00000000,00000000,00402EC4,00000001), ref: 00402CF7
                                                    • GetTickCount.KERNEL32 ref: 00402D15
                                                    • CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D32
                                                    • ShowWindow.USER32(00000000,00000005), ref: 00402D40
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                    • String ID:
                                                    • API String ID: 2102729457-0
                                                    • Opcode ID: 2469aab9b0bab78131693435c259bb338fdfc1179cff7f610c16a2f3c60769c5
                                                    • Instruction ID: 5343e4f3fd542578671bd54a8d6f819db7b5394acccd132b40ed42660498aa91
                                                    • Opcode Fuzzy Hash: 2469aab9b0bab78131693435c259bb338fdfc1179cff7f610c16a2f3c60769c5
                                                    • Instruction Fuzzy Hash: 01F05430601521EBC7207F24FE8CA8F7A64BB08B11791047AF445B21F4DBB448C28B9C
                                                    Function 00405000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 0040502F
                                                    • CallWindowProcA.USER32(?,?,?,?), ref: 00405080
                                                      • Part of subcall function 00404072: SendMessageA.USER32(00010442,00000000,00000000,00000000), ref: 00404084
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Window$CallMessageProcSendVisible
                                                    • String ID:
                                                    • API String ID: 3748168415-3916222277
                                                    • Opcode ID: 0b5703a8dab1bd1bd7dd9e2c337de487c6e053b4983eba3ecfb903a9c205ce24
                                                    • Instruction ID: 2f0027df7ddfe28b71d6e39f600ecebaf2ba5c74aec8f2e947ae9809186c917a
                                                    • Opcode Fuzzy Hash: 0b5703a8dab1bd1bd7dd9e2c337de487c6e053b4983eba3ecfb903a9c205ce24
                                                    • Instruction Fuzzy Hash: 48017171500609ABDF205F51DD80E6F3B65EB84754F14403BFA01751D2C77A8CA29F9A
                                                    Function 004059EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,benevolently Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72
                                                      • Part of subcall function 00405996: CharNextA.USER32(?,?,0042BC78,?,00405A02,0042BC78,0042BC78,76F93410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A4
                                                      • Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059A9
                                                      • Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059BD
                                                    • lstrlenA.KERNEL32(0042BC78,00000000,0042BC78,0042BC78,76F93410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,76F93410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A3E
                                                    • GetFileAttributesA.KERNEL32(0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,00000000,0042BC78,0042BC78,76F93410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,76F93410,C:\Users\user\AppData\Local\Temp\), ref: 00405A4E
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004059EB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 3248276644-297319885
                                                    • Opcode ID: abce9bb9807016b4c276db8bae45b4b3eed95d690bc7d0fbdb1e72e6f8ad0fcb
                                                    • Instruction ID: 1f06baf1138d21f74630751e728cacf5283a8138a78bcc2982ba797f27b9272c
                                                    • Opcode Fuzzy Hash: abce9bb9807016b4c276db8bae45b4b3eed95d690bc7d0fbdb1e72e6f8ad0fcb
                                                    • Instruction Fuzzy Hash: 53F0C831315DA256C622323A1D45AAF1B45CE87338709477FF891B12D2EB3C89439EBD
                                                    Function 00403720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FreeLibrary.KERNEL32(?,76F93410,00000000,C:\Users\user\AppData\Local\Temp\,004036F8,00403512,?,?,00000006,00000008,0000000A), ref: 0040373A
                                                    • GlobalFree.KERNEL32(0080A040), ref: 00403741
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403720
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Free$GlobalLibrary
                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 1100898210-297319885
                                                    • Opcode ID: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
                                                    • Instruction ID: 7d8ce370987dd57b7bf148727d206b09ac62311aee63c146eb442539f55f5a8e
                                                    • Opcode Fuzzy Hash: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
                                                    • Instruction Fuzzy Hash: 39E0C27391212097C7313F54EE0871ABBA86F46B22F0A403AE8407B26487745C428BCC
                                                    Function 00405944 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\asXlZG3aW6.exe,C:\Users\user\Desktop\asXlZG3aW6.exe,80000000,00000003), ref: 0040594A
                                                    • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\asXlZG3aW6.exe,C:\Users\user\Desktop\asXlZG3aW6.exe,80000000,00000003), ref: 00405958
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: CharPrevlstrlen
                                                    • String ID: C:\Users\user\Desktop
                                                    • API String ID: 2709904686-2743851969
                                                    • Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                                                    • Instruction ID: 9e2646df26482555437471894173605ef17f2c9d125cfcd2b42401f98a5df656
                                                    • Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                                                    • Instruction Fuzzy Hash: D6D0C9A240DDB1AEE70363249C04B9F6A88DF17710F0944A6E180B61A5C77C4D828BAD
                                                    Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
                                                    • GlobalFree.KERNEL32(00000000), ref: 100011B4
                                                    • GlobalFree.KERNEL32(?), ref: 100011C7
                                                    • GlobalFree.KERNEL32(?), ref: 100011F5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3951299433.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.3951283153.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951313366.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    • Associated: 00000000.00000002.3951330207.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: Global$Free$Alloc
                                                    • String ID:
                                                    • API String ID: 1780285237-0
                                                    • Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
                                                    • Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
                                                    • Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
                                                    • Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24
                                                    Function 00405A63 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A73
                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A8B
                                                    • CharNextA.USER32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A9C
                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3946783330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3946771867.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946800985.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946815581.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3946917729.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                    Similarity
                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                    • String ID:
                                                    • API String ID: 190613189-0
                                                    • Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                                                    • Instruction ID: de8867e187cffd76a1833f018909c3af52f45fcf8c0597c8515af2ce59788131
                                                    • Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                                                    • Instruction Fuzzy Hash: F5F0C231201818AFCB02DBA4CD80D9EBBA8EF46350B2540B9E840F7211D774DE019FA9